Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

Windows Group Policy (GPO) Explanation and Tutorials

Group Policy Object (GPO) is a Windows feature for centrally configuring operating systems, users, and applications. Group Policies allow you to apply the same settings to all users and computers in an Active Directory domain by providing a set of rules and settings for the Windows environment. You can use Group Policy to set Windows configuration, change security settings, configure the user’s environment, install a program or run a script, etc.

Group Policy Architecture and Components

  • GPO – a Group Policy Settings object, which contains a set of settings that you want to apply to workstations, servers and/or users. Each GPO in a domain has its own unique GUID. Its files are stored in the SYSVOL directory on Active Directory domain controllers ( \\woshub.com\SYSVOL\woshub.com\Policies\GPO_GUID). All AD domain controllers replicate the GPO folder in Sysvol;
  • Client computers – Clients retrieve GPO files from domain controllers and apply settings to Windows and users. The process of obtaining and applying a GPO is called a Group Policy Update;
  • Group Policy Administrative Templates (ADMX files) are the XML template files for the GPO Editor.  ADMX files contain the definitions of the policy settings, which describe what settings can be configured and what their valid values are. Third party developers and administrators can create their own ADMX templates. If you want to support multiple languages in ADMX, you can use ADML files. You can install and update administrative templates for a wide range of applications and services. For example, you can use ADMX templates for Microsoft Office, to configure the settings of the Google Chrome browser, manage LAPS, etc.   In a Windows domain, we recommend that you create a central Administrative Template store for ADMX files called PolicyDefinitions.
  • Linking GPO – a configured GPO can be assigned to an entire domain, an Active Directory site, or an Organizational Unit in the AD tree structure; Windows Group Policies (GPO) in Active Directory
  • GPO Security Filtering and WMI Filters allow you to limit the scope of a GPO to specific computers, users, and groups;
  • Group Policy Preferences – a built-in set of client extensions that extend the capabilities of GPO (available in Windows Server 2008 and later).

There are two default GPOs created in the domain:

  • Default Domain Policy – Assigned to the root of the domain and contains basic settings for all users and computers. It includes domain password policy settings, account lockout, and Kerberos settings.
  • Default Domain Controller Policy – contains the basic and auditing settings for the Active Directory domain controller.

Group Policy Management Tools

  • Local Group Policy Editor (gpedit.msc) MMC console –used to configure the GPO settings on the local Windows computer. By default, the gpedit.msc console is only available in Pro/Enterprise editions of Windows, but you can also install it in Home editions. Different local GPO settings can be applied to different groups of users using MLGPO (Multiple Local Group Policy). You can use the LGPO.exe tool to export (backup) the local GPO settings and transfer them to other computers.
  • Domain Group Policy Management MMC console (gpmc.msc) used to centrally manage Group Policies at the AD domain level. Allows you to apply GPOs to all computers/users in a domain, to objects in a specific OU, or to specific groups of users or computers.
  • PowerShell Group Policy module allows you to create, delete, link, unlink, and configure GPO settings from the PowerShell command prompt.

MostUsefulGPOExamplesandBestPractices

  • Deploy software (MSI packages) on Windows via Group Policy
  • Managing Windows Defender Firewall rules with GPO
  • Configure folder redirection using GPO
  • How to implement Group Policy to block USB devices
  • Disable legacy TLS 1.0 and TLS 1.2 protocols on Windows
  • Display system information on the Windows desktop with BgInfo
  • Deploying new fonts on Windows via GPO
  • How to save BitLocker recovery keys to Active Directory
  • Set screen lock for inactivity via Group Policy
  • Disable NTLM on Windows
  • GPO: run startup or logon PowerShell scripts on Windows
  • Enable WinRM and PowerShell Remoting through GPO
  • Enable RDP on Windows computers with Group Policy
  • Configuring proxy server settings in Windows using Group Policy
  • Disable NetBIOS and LLMNT protocols on Windows
  • Update trusted root certificates on Windows and add SSL certificate to the trusted ones with GPO
  • Configure User Account Control (UAC) settings on Windows with GPO
  • GPO: Set WSUS client configuration in Active Directory domain

Examples of using Group Policy Preferences:

  • Create a scheduled task on Windows with GPO
  • How to add, change, or remove registry keys/parameters using Group Policy
  • Mapping network drives with Group Policy
  • Copy files or folder to domain computers using GPO
  • Create desktop shortcuts using Group Policy
  • How to add local administrators via Group Policy
  • Connecting shared printers to domain computers and users with GPO

Group Policy Troubleshooting Guides

  • Fixing Group Policy processing errors
  • Troubleshooting: Group Policy Objects not being applied to clients
  • GPO is taking long time to apply
  • How to use GPResult to check resulting Group Policies
  • Reset Local Group Policy settings on Windows by deleting registry.pol files
  • Active DirectoryGroup PoliciesQuestions and AnswersWindows Server 2022

    Configure NTP Time Source for Active Directory Domain

    May 6, 2025

    Time synchronization in an Active Directory is critical to properly functioning of the domain services and security mechanisms. If a proper and reliable time sync scheme is not configured in…

    0 Facebook Twitter Google + Pinterest
  • Group PoliciesQuestions and AnswersWindows 10Windows 11

    How to Remove ‘Some Settings are Managed by Your Organization’ on Windows 11 or 10

    March 17, 2025

    Some sections of the classic Control Panel or the modern Windows Settings app may display the message Some of settings are managed by your organization. What does this message mean…

    0 Facebook Twitter Google + Pinterest
  • Active DirectoryGroup PoliciesWindows Server 2022

    Exclude a Specific User or Computer from Group Policy

    March 12, 2025

    There are several ways to prevent certain Group Policy Object (GPO) settings from being applied to specific users and/or computers in Active Directory: Use GPO security filtering to control which…

    6 Facebook Twitter Google + Pinterest
  • Azure and Microsoft 365Group PoliciesPowerShellWindows 10Windows Server 2022

    Mapping SharePoint Online Library as Network Drive in Windows

    July 15, 2024

    Connecting SharePoint Online document libraries through the OneDrive client or using the Web interface are the preferred and recommended ways to access document library files on SharePoint. But you can…

    2 Facebook Twitter Google + Pinterest
  • Group PoliciesPowerShellWindows Server 2019

    Configure File and Folder Access Auditing on Windows (GPO)

    June 27, 2024

    The file system audit policy in Windows allows to monitor all access events to specific files and folders on a disk. An administrator can enable the audit policy to identify…

    5 Facebook Twitter Google + Pinterest
  • Group PoliciesPowerShellWindows 10Windows 11

    How to Add or Remove Pinned Folders to Quick Access with PowerShell and GPO

    June 18, 2024

    Windows File Explorer has a separate panel that displays a list of favorite folders and locations called Quick Access. Many users and administrators unjustly ignore this handy Windows tool for…

    6 Facebook Twitter Google + Pinterest
  • Group PoliciesPowerShellWindows Server 2019Windows Server 2022

    Prevent Server Manager from Starting at Logon on Windows Server

    April 11, 2024

    The Server Manager dashboard opens automatically when you log on to Windows Server with an account that is a member of the local Administrators group. Server Manager console allows you…

    4 Facebook Twitter Google + Pinterest
  • Active DirectoryGroup PoliciesPowerShell

    Unlocking Active Directory User Accounts

    February 13, 2024

    A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by…

    3 Facebook Twitter Google + Pinterest
  • Group PoliciesMicrosoft OfficePowerShellWindows 10

    Deploying Microsoft Office Language Packs

    December 18, 2023

    In this article, we’ll look at manual and automated ways to deploy additional language packs and set the default language in Microsoft Office 2019, 2016, and Microsoft 365 Apps for…

    4 Facebook Twitter Google + Pinterest
  • Group PoliciesPowerShellWindows Server 2016Windows Server 2019Windows Server 2022

    Fix: Remote Desktop Licensing Mode is not Configured

    August 24, 2023

    When configuring a new RDS farm node on Windows Server 2022/2019/2016/2012 R2, you may see the following tray warning pop-up: Licensing mode for the Remote Desktop Session Host is not…

    31 Facebook Twitter Google + Pinterest
  • 1
  • 2
  • 3
  • …
  • 9
join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMware
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025
  • How to Write Logs to the Windows Event Viewer from PowerShell/CMD

    March 3, 2025
  • How to Hide (Block) a Specific Windows Update

    February 25, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Check Windows 11 Hardware Readiness with PowerShell Script
  • Extend an Expired User Password in Active Directory
  • Error: The Specified Domain Doesn’t Exist or Couldn’t Be Contacted
  • Unlocking Active Directory User Accounts
  • How to Block Common (Weak) Passwords in Active Directory
  • AD Domain Join: Computer Account Re-use Blocked
  • Configure DNS Scavenging to Clean Up Stale DNS Records in AD
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top