Overview

Designed and deployed a comprehensive suite of Group Policy Objects (GPOs) to enforce consistent governance, security, and configuration management across all domain-joined office and POS computers at 12 sites. Policies are centrally managed via Active Directory and applied automatically — ensuring every machine is configured correctly without manual intervention at individual sites.

Problem Being Solved

With 12 sites and over a hundred machines, manual configuration was not scalable. Computers had inconsistent browser bookmarks, irregular restart schedules leading to performance degradation, ad-hoc software installation without governance, and inconsistent firewall configurations creating security gaps. A centralised policy management approach was needed to enforce standards at scale.

Policies Implemented

Managed Edge Bookmarks

• GPO deployed to push a standardised set of managed bookmarks to Microsoft Edge on all machines
• Bookmarks include links to internal systems, SharePoint portals, supplier login pages, and key tools
• Managed bookmarks appear in a dedicated "Company" folder in Edge — users cannot delete them
• Updates to the bookmark list automatically propagate to all machines on next policy refresh
• Ensures all staff have consistent, quick access to key resources without IT support tickets

Scheduled Auto-Restart

• GPO configured to schedule automatic restarts for all office and POS computers every week
• Restarts timed for low-activity periods (e.g., Sunday 2 AM) to avoid business disruption
• Ensures machines apply pending Windows updates, clear memory leaks, and start fresh each week
• Reduces IT support calls related to slow machines, software hangs, and update-related issues
• Notification shown to users before restart to save work if logged in outside scheduled hours

Logon Script Execution & App Installation

• GPO assigns logon and startup scripts that run automatically when users log in or machines start
• Scripts handle: drive mapping, printer mapping by site, environment variable setup, and silent app installations
• Applications deployed via GPO software installation (MSI packages) or script-driven installers
• Ensures required tools are present on every machine without manual IT visits to each site
• Scripts conditionally check whether software is already installed — idempotent execution prevents reinstalls

Domain-Wide Firewall Rules

• GPO used to enforce Windows Defender Firewall rules consistently across all domain computers
• Rules define which inbound/outbound ports and applications are allowed or blocked by default
• Business-critical application ports explicitly whitelisted; all unnecessary inbound traffic blocked
• Firewall profiles (Domain, Private, Public) configured appropriately for each machine class
• Centralised rules prevent individual users or local admins from disabling firewall protection
• Audit logging enabled for blocked connections to detect potential intrusion attempts

Additional Governance Policies

• Password Policy: Enforced minimum length, complexity, and rotation requirements domain-wide
• Screen Lock: Automatic screen lock after inactivity threshold on all machines
• USB Restrictions: Removable storage restricted on POS machines to reduce data exfiltration risk
• Software Restriction: Blocked execution of unauthorised executables from temp directories
• Windows Update: WSUS/update settings managed via GPO to control patch deployment timing

Desired State Configuration via Task Scheduler

• Built a custom Desired State Configuration (DSC) system using Windows Task Scheduler and PowerShell scripts deployed via GPO
• Scheduled task runs every 30 minutes on all POS machines — checking whether required POS applications are running
• Script enumerates a defined list of critical POS processes; if any are not running, it automatically relaunches them
• Handles edge cases: detects crashed processes, hung instances, and services that failed to start after a restart
• Operates silently in the background — no user interaction required; store staff are unaffected
• Significantly reduces POS downtime and eliminates the need for staff to call IT when an app closes unexpectedly
• Task and script deployed centrally via GPO — any new POS machine joining the domain receives it automatically

GPO Architecture

• GPOs organised in Active Directory using an OU (Organisational Unit) hierarchy: Company → Sites → Roles
• Policies scoped by OU to ensure site-specific and role-specific configurations where needed
• GPO inheritance and blocking used deliberately to handle exceptions (e.g., IT admin workstations)
• Security filtering applied to target specific machine groups without affecting unintended OUs
• All GPOs documented with naming conventions and purpose descriptions for maintainability
• gpresult and Group Policy Management Console used for verification and troubleshooting

Outcome & Impact

• Consistent configuration enforced across all 12 sites and dozens of machines — no manual per-machine setup
• Security posture improved significantly with standardised firewall rules, password policies, and USB restrictions
• IT support tickets reduced — bookmarks, printers, and drives are always correctly configured
• Machines perform better week-to-week thanks to regular scheduled restarts and update enforcement
• Scalable — new machines joining the domain automatically receive all policies
• Audit capability improved — central logging and policy enforcement provides a clear compliance record

Skills & Tools Used

• Active Directory — OU design, GPO linking, security filtering, and inheritance management
• Group Policy Management Console (GPMC) — GPO creation, editing, and troubleshooting
• Windows Defender Firewall — inbound/outbound rule design via GPO
• PowerShell / Batch scripting — logon scripts, startup scripts, conditional app installation
• Microsoft Edge administrative templates — managed bookmarks, browser policy enforcement
• Windows Server — WSUS integration, DNS, and domain services administration
• Security hardening — CIS benchmark principles applied to domain policy design