Windows Group Policy (GPO) Explanation and Tutorials

Group Policy Object (GPO) is a Windows feature for centrally configuring operating systems, users, and applications. Group Policies allow you to apply the same settings to all users and computers in an Active Directory domain by providing a set of rules and settings for the Windows environment. You can use Group Policy to set Windows configuration, change security settings, configure the user’s environment, install a program or run a script, etc.

Group Policy Architecture and Components

• GPO – a Group Policy Settings object, which contains a set of settings that you want to apply to workstations, servers and/or users. Each GPO in a domain has its own unique GUID. Its files are stored in the SYSVOL directory on Active Directory domain controllers ( \\woshub.com\SYSVOL\woshub.com\Policies\GPO_GUID ). All AD domain controllers replicate the GPO folder in Sysvol;
• Client computers – Clients retrieve GPO files from domain controllers and apply settings to Windows and users. The process of obtaining and applying a GPO is called a Group Policy Update;
• Group Policy Administrative Templates (ADMX files) are the XML template files for the GPO Editor. ADMX files contain the definitions of the policy settings, which describe what settings can be configured and what their valid values are. Third party developers and administrators can create their own ADMX templates. If you want to support multiple languages in ADMX, you can use ADML files. You can install and update administrative templates for a wide range of applications and services. For example, you can use ADMX templates for Microsoft Office, to configure the settings of the Google Chrome browser, manage LAPS, etc. In a Windows domain, we recommend that you create a central Administrative Template store for ADMX files called PolicyDefinitions.
• Linking GPO – a configured GPO can be assigned to an entire domain, an Active Directory site, or an Organizational Unit in the AD tree structure;
• GPO Security Filtering and WMI Filters allow you to limit the scope of a GPO to specific computers, users, and groups;
• Group Policy Preferences – a built-in set of client extensions that extend the capabilities of GPO (available in Windows Server 2008 and later).

There are two default GPOs created in the domain:

• Default Domain Policy – Assigned to the root of the domain and contains basic settings for all users and computers. It includes domain password policy settings, account lockout, and Kerberos settings.
• Default Domain Controller Policy – contains the basic and auditing settings for the Active Directory domain controller.

Group Policy Management Tools

• Local Group Policy Editor ( gpedit.msc ) MMC console –used to configure the GPO settings on the local Windows computer. By default, the gpedit.msc console is only available in Pro/Enterprise editions of Windows, but you can also install it in Home editions. Different local GPO settings can be applied to different groups of users using MLGPO (Multiple Local Group Policy). You can use the LGPO.exe tool to export (backup) the local GPO settings and transfer them to other computers.
• Domain Group Policy Management MMC console ( gpmc.msc ) used to centrally manage Group Policies at the AD domain level. Allows you to apply GPOs to all computers/users in a domain, to objects in a specific OU, or to specific groups of users or computers.
• PowerShell Group Policy module allows you to create, delete, link, unlink, and configure GPO settings from the PowerShell command prompt.

MostUsefulGPOExamplesandBestPractices

• Deploy software (MSI packages) on Windows via Group Policy
• Managing Windows Defender Firewall rules with GPO
• Configure folder redirection using GPO
• How to implement Group Policy to block USB devices
• Disable legacy TLS 1.0 and TLS 1.2 protocols on Windows
• Display system information on the Windows desktop with BgInfo
• Deploying new fonts on Windows via GPO
• How to save BitLocker recovery keys to Active Directory
• Set screen lock for inactivity via Group Policy
• Disable NTLM on Windows
• GPO: run startup or logon PowerShell scripts on Windows
• Enable WinRM and PowerShell Remoting through GPO
• Enable RDP on Windows computers with Group Policy
• Configuring proxy server settings in Windows using Group Policy
• Disable NetBIOS and LLMNT protocols on Windows
• Update trusted root certificates on Windows and add SSL certificate to the trusted ones with GPO
• Configure User Account Control (UAC) settings on Windows with GPO
• GPO: Set WSUS client configuration in Active Directory domain

Examples of using Group Policy Preferences:

• Create a scheduled task on Windows with GPO
• How to add, change, or remove registry keys/parameters using Group Policy
• Mapping network drives with Group Policy
• Copy files or folder to domain computers using GPO
• Create desktop shortcuts using Group Policy
• How to add local administrators via Group Policy
• Connecting shared printers to domain computers and users with GPO

Group Policy Troubleshooting Guides

• Fixing Group Policy processing errors
• Troubleshooting: Group Policy Objects not being applied to clients
• GPO is taking long time to apply
• How to use GPResult to check resulting Group Policies
• Reset Local Group Policy settings on Windows by deleting registry.pol files

Mapping SharePoint Online Library as Network Drive in Windows

Connecting SharePoint Online document libraries through the OneDrive client or using the Web interface are the preferred and recommended ways to access document library files on SharePoint. But you can…

Configure File and Folder Access Auditing on Windows (GPO)

The file system audit policy in Windows allows to monitor all access events to specific files and folders on a disk. An administrator can enable the audit policy to identify…

How to Add or Remove Pinned Folders to Quick Access with PowerShell and GPO

Windows File Explorer has a separate panel that displays a list of favorite folders and locations called Quick Access. Many users and administrators unjustly ignore this handy Windows tool for…

Prevent Server Manager from Starting at Logon on Windows Server

The Server Manager dashboard opens automatically when you log on to Windows Server with an account that is a member of the local Administrators group. Server Manager console allows you…

Unlocking Active Directory User Accounts

A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by…

Deploying Microsoft Office Language Packs

In this article, we’ll look at manual and automated ways to deploy additional language packs and set the default language in Microsoft Office 2019, 2016, and Microsoft 365 Apps for…

Fix: Remote Desktop Licensing Mode is not Configured

When configuring a new RDS farm node on Windows Server 2022/2019/2016/2012 R2, you may see the following tray warning pop-up: Licensing mode for the Remote Desktop Session Host is not…

Refresh AD Groups Membership without Reboot/Logoff

After you add a computer or a user account to an Active Directory security group, the new access permissions or the new GPOs are not applied immediately. To update the…

How to Backup and Copy Local Group Policy Settings to Another Computer

Group Policies are used to centrally configure settings for computers and users in Windows. If your computers are joined to a Windows domain, you can use domain GPOs to bring…

How to Reset the Group Policy Settings on Windows

Group Policy Object (GPO) is a handy tool for fine-tuning the user and the operating system environment in Windows. Both domain GPOs (if the computer is a member of an…