Windows
Group Policy (GPO)¶
Group Policy is the mechanism that lets you configure and enforce settings on hundreds or thousands of Windows machines and users from a single place, instead of touching each one by hand. It is one of the main reasons organisations run Active Directory.
Tested on
Windows Server 2022 (Datacenter, GUI) acting as a domain controller, with the Group Policy Management feature installed. Commands use the GroupPolicy PowerShell module.
Group Policy depends on Active Directory
Domain-based Group Policy only works inside an AD domain. The settings are stored in AD and on SYSVOL, and they apply to objects (users and computers) that live in the directory. If you have not stood up a domain yet, start with Active Directory. There is also Local Group Policy on a standalone server, but it cannot be managed centrally.
What Group Policy actually does¶
A Group Policy Object (GPO) is a named container of settings. When a computer boots or a user logs on, it contacts a domain controller, works out which GPOs apply to it, downloads them, and applies the settings. The result is that you can, for example:
- Enforce a password and account-lockout policy across the whole domain.
- Map network drives and printers for users automatically.
- Push security settings, certificates, and firewall rules to computers.
- Run login/logoff and startup/shutdown scripts.
- Deploy software (MSI packages) to machines or users.
- Lock down the desktop, Start menu, or Control Panel.
Settings are refreshed automatically in the background roughly every 90 minutes (with a random offset), and at every boot/logon. You can force a refresh on demand - see Applying and refreshing policy.
The Group Policy Management Console (GPMC)¶
The Group Policy Management Console is the primary GUI tool. It is the snap-in where you create GPOs, link them, set precedence, filter who they apply to, and run reports.
To open it:
or run gpmc.msc from the Run box. If the console is missing, install the feature:
Inside GPMC you will see your forest, the domain, the Group Policy Objects container (the master list of every GPO), plus your sites and Organizational Units (OUs) with their links attached.
GPMC vs the policy editor
GPMC manages where GPOs apply. To edit what is inside a GPO, right-click it and choose Edit, which opens the Group Policy Management Editor (gpedit-style tree).
Computer Configuration vs User Configuration¶
Every GPO is split into two halves:
| Half | Applies to | Applied when |
|---|---|---|
| Computer Configuration | Computer objects | At startup, before logon, and on refresh |
| User Configuration | User objects | At logon and on refresh |
Each half contains Policies (true policy settings that are removed when the GPO no longer applies) and Preferences (settings like drive maps and registry tweaks, which can be applied once and left in place).
A key rule: a GPO's Computer settings only matter for computer accounts in the scope of the link, and its User settings only matter for user accounts in scope. If you link a GPO with only User settings to an OU that contains only computers, nothing happens.
Loopback processing
Sometimes you want the computer's location to decide which User settings apply (common on kiosks, RDS hosts, or shared lab PCs). Enable User Group Policy loopback processing mode under Computer Configuration > Policies > Administrative Templates > System > Group Policy.
Linking GPOs and the LSDOU processing order¶
A GPO does nothing until it is linked to a container. You can link the same GPO to multiple containers, and you link it to one of three Active Directory scopes:
- a Site (a physical/network location),
- the Domain,
- an Organizational Unit (OU).
When a computer or user processes policy, GPOs are applied in a fixed order known as LSDOU:
L - Local (the local policy on the machine itself)
S - Site (GPOs linked to the AD site)
D - Domain (GPOs linked to the domain)
O - OU (GPOs linked to OUs, from the top OU down to the
OU that directly contains the object)
Precedence: last writer wins¶
LSDOU also defines precedence. GPOs are applied in that sequence, and if two GPOs set the same setting to different values, the one applied later overwrites the earlier one. So an OU GPO normally beats a Domain GPO, which beats a Site GPO, which beats Local.
Within a single container that has several linked GPOs, the Link Order decides precedence: the GPO with link order 1 is applied last, so it wins. You set this on the Linked Group Policy Objects tab in GPMC by moving links up and down.
Worked example
Suppose a Domain GPO sets the screen-lock timeout to 15 minutes, and a GPO linked to the Finance OU sets it to 5 minutes. A user account in the Finance OU gets 5 minutes, because the OU GPO is processed after (and therefore wins over) the domain GPO.
Common policies you will configure¶
| Goal | Where it lives |
|---|---|
| Password & account lockout policy | Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies |
| Drive maps | User Configuration > Preferences > Windows Settings > Drive Maps |
| Login / logoff scripts | User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) |
| Startup / shutdown scripts | Computer Configuration > Policies > Windows Settings > Scripts |
| Software deployment (MSI) | Computer or User Configuration > Policies > Software Settings > Software installation |
| Security options / firewall | Computer Configuration > Policies > Windows Settings > Security Settings |
| Desktop / Start menu lockdown | User Configuration > Policies > Administrative Templates |
The domain password policy is special
The classic account password and lockout policy is enforced for all domain user accounts only from a GPO linked at the domain level (by default the Default Domain Policy). The same settings in a GPO linked to an OU affect the local accounts of computers in that OU, not domain accounts. For per-group exceptions, use a Fine-Grained Password Policy (a PSO) instead.
Create a new GPO and link it to an OU from PowerShell:
# Create a GPO and link it to an OU in one step
New-GPO -Name "Finance Drive Maps" |
New-GPLink -Target "OU=Finance,DC=corp,DC=example,DC=com"
Enforcement and inheritance blocking¶
Two controls override the normal LSDOU precedence:
- Enforced (formerly "No Override"): right-click a link and choose Enforced. An enforced GPO's settings win over any GPO processed later, and they cannot be blocked. Use this for non-negotiable settings like security baselines.
- Block Inheritance: right-click an OU and choose Block Inheritance. The OU then ignores GPOs linked higher up (site/domain).
When the two collide, Enforced wins: an enforced link still applies even to an OU that has Block Inheritance set. In GPMC, enforced links show a small padlock and blocked OUs show a blue exclamation mark.
# Enforce a link, and block inheritance on an OU
Set-GPLink -Name "Security Baseline" -Target "DC=corp,DC=example,DC=com" -Enforced Yes
Set-GPInheritance -Target "OU=Lab,DC=corp,DC=example,DC=com" -IsBlocked Yes
Security filtering¶
By default a GPO applies to Authenticated Users in its scope. Security filtering narrows that to specific users, computers, or groups: on the GPO's Scope tab in GPMC, remove Authenticated Users and add the group you want, e.g. Finance Staff. Only members then get the GPO.
The 2016+ read-permission requirement
Since the MS16-072 security update, the computer account also needs Read access to a GPO for it to apply, even for User settings. If you replace Authenticated Users with a user group, also grant Authenticated Users (or Domain Computers) the Read permission - without Apply - on the Delegation tab. A WMI Filter can further target GPOs by attributes such as OS version or free disk space.
Applying and refreshing policy¶
You do not normally wait for the background refresh while testing:
/force reapplies all settings rather than only changed ones. If a setting needs a logoff or reboot (drive maps, software install), gpupdate prompts for it; add /logoff or /boot to allow it.
Troubleshooting¶
The first question is always: which GPOs actually applied, and which won?
# Resulting Set of Policy for the current user/computer, in summary form
gpresult /r
# Full HTML report you can open in a browser
gpresult /h C:\Temp\gpresult.html
# Target a specific user on a specific machine
gpresult /s SERVER01 /user CORP\jdoe /r
gpresult shows Applied GPOs, denied GPOs (and why - e.g. "Filtering: Denied (Security)" or "Empty"), the site, and the last refresh time.
For a guided, point-and-click version, use the Group Policy Results wizard in GPMC (right-click Group Policy Results > Group Policy Results Wizard). It queries a target user+computer and produces the same resultant report with a settings tab showing which GPO won each setting. The related Group Policy Modeling wizard does "what-if" simulations before you make a change.
Common gotchas
- Settings not applying? Confirm the GPO is linked (an unlinked GPO in the Group Policy Objects container does nothing) and the link is enabled.
- Wrong value winning? Check Link Order and any Enforced links with
gpresult /r. - User settings ignored? Check security filtering and the MS16-072 Read permission for the computer.
- Replication delay: a brand-new GPO must replicate to the DC the client uses - check
SYSVOLand AD replication if behaviour differs between sites.
Verify your work¶
- In GPMC, confirm your GPO appears under Group Policy Objects and that a link exists on the target OU/domain/site (the link node shows the GPO name).
- On a client (or the server) in scope, run
gpupdate /force, thengpresult /rand confirm your GPO is listed under Applied Group Policy Objects. - Open
gpresult /h C:\Temp\gpresult.htmland verify the specific setting shows your GPO as the winning policy. - Test enforcement/blocking: set Block Inheritance on a child OU and confirm with
gpresult /rthat a higher GPO is now denied - unless it is Enforced, in which case it should still apply.
Summary¶
- A GPO is a reusable container of Computer and User settings; it only takes effect once linked to a site, domain, or OU.
- Processing order is LSDOU (Local > Site > Domain > OU); the GPO applied last wins, and Link Order 1 wins within a container.
- Enforced links override later GPOs and cannot be blocked; Block Inheritance ignores higher links - but Enforced beats Block Inheritance.
- Security filtering (plus a WMI filter) decides who a GPO applies to; remember the computer needs Read since MS16-072.
- Apply with
gpupdate /force; troubleshoot withgpresult /r, an HTML report, and the Group Policy Results wizard. - Group Policy is built on Active Directory; see also DNS and DHCP on Windows Server and PowerShell basics.