Windows Server

Setting Up & Hardening a Standalone (Non-AD) Windows Server 2019

Q: Can I use Group Policy at all without a domain?

Only *local* group policy (gpedit.msc / secpol.msc). It applies to that one machine — use LGPO.exe to copy it to others.

Published June 10, 2026 · by The FixHub Team

Plenty of Windows Servers run standalone — workgroup, no Active Directory: a backup target, an app host, a lab box. Without a domain you can’t push policy centrally, so everything is local. Here’s a practical setup-and-hardening checklist for a non-AD Windows Server 2019, in the order I actually do it.

1. Stop Server Manager launching at every logon

On a standalone box you rarely need Server Manager popping up each time you sign in. Turn it off:

Quickest (this user): Server Manager → Manage → Server Manager Properties → tick “Do not start Server Manager automatically at logon” → OK.

All users (PowerShell, disables the scheduled task that launches it):

Get-ScheduledTask -TaskName ServerManager | Disable-ScheduledTask

Via local policy (so it’s part of your baseline): in gpedit.msc → Computer Configuration → Administrative Templates → System → Server Manager → Do not display Server Manager automatically at logon → Enabled.

2. Rename and lock down the local Administrator

A predictable Administrator account is the first thing attackers try:

Rename-LocalUser -Name 'Administrator' -NewName 'svc-admin'
# Create a separate standard admin for daily use; keep the renamed built-in for break-glass
New-LocalUser -Name 'opsadmin' -FullName 'Ops Admin' -Password (Read-Host -AsSecureString 'Password')
Add-LocalGroupMember -Group 'Administrators' -Member 'opsadmin'

Disable the Guest account if it isn’t already:

Disable-LocalUser -Name 'Guest'

3. Set local security policy (account & lockout)

With no domain password policy, set it locally. Open secpol.msc → Account Policies:

Password Policy: minimum length 14+, complexity Enabled, max age 365 or per your standard.
Account Lockout Policy: threshold 10 invalid attempts, duration 15 min, reset counter after 15 min — this blunts brute-force without locking you out constantly.

Prefer the command line? net accounts sets several of these:

net accounts /minpwlen:14 /maxpwage:365 /lockoutthreshold:10 /lockoutduration:15 /lockoutwindow:15

To make this repeatable across servers, capture it once and batch-apply it with LGPO.exe instead of clicking through secpol.msc on every box.

4. Configure the Windows Firewall

Keep all three profiles on and deny inbound by default:

Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True `
  -DefaultInboundAction Block -DefaultOutboundAction Allow

Then open only what the server actually serves. Example — allow RDP from one admin subnet only:

New-NetFirewallRule -DisplayName 'RDP from admin subnet' -Direction Inbound `
  -Protocol TCP -LocalPort 3389 -RemoteAddress 10.0.10.0/24 -Action Allow

5. Harden Remote Desktop

Require Network Level Authentication (Server 2019 default — confirm it’s on).
Don’t expose 3389 to the internet. Restrict by IP (above) or front it with a VPN/RD Gateway.
Limit who can log in: only members of a specific admins group via Allow log on through Remote Desktop Services in secpol.msc → Local Policies → User Rights Assignment.

6. Updates without WSUS

Standalone means no central patch server. Automate it locally with the PSWindowsUpdate module on a scheduled task so the box patches itself monthly.

7. Apply Microsoft’s security baseline

For a hardened starting point, download the Windows Server 2019 Security Baseline (part of the Security Compliance Toolkit) and apply it locally with LGPO.exe. It sets hundreds of vetted local-policy values you’d never configure by hand — and on a standalone server it’s the closest you’ll get to domain-grade hardening.

Quick checklist

Server Manager autostart disabled
Built-in Administrator renamed; Guest disabled; separate daily admin
Local password + lockout policy set (and captured for LGPO)
Firewall default-deny inbound; only needed ports open, scoped by IP
RDP restricted (NLA on, IP-limited, not internet-facing)
Automated patching via PSWindowsUpdate
Security baseline applied with LGPO

FAQ

Can I use Group Policy at all without a domain? Only local group policy (gpedit.msc / secpol.msc). It applies to that one machine — use LGPO.exe to copy it to others.

Is gpedit.msc available on Server Core? No GUI on Core — manage policy with LGPO.exe and PowerShell instead.

Sources: Windows OS Hub — Prevent Server Manager from starting at logon, Microsoft Learn — Security Compliance Toolkit