M10: Group Policy

Group Policy provides centralized management and configuration of operating systems, applications, and user settings across an Active Directory environment.

What You'll Learn

  • GPO architecture and processing
  • Creating and linking GPOs
  • Policy precedence (LSDOU)
  • Security filtering and WMI filters
  • Troubleshooting Group Policy

Prerequisites

  • Active Directory fundamentals (M02)
  • Understanding of OUs
  • Windows Server administration
  • Basic networking concepts
Enterprise Impact: Group Policy is the primary mechanism for enforcing security standards, deploying software, and maintaining configuration consistency across thousands of machines.
Group Policy: centralized config at scaleGPO: Lockdownpolicy authored onceSales OU42 usersIT OU28 usersHR OU15 usersOne GPO, applies to 85 users + their PCspassword rules, screensaver, mapped drives, deployed printers, etc.

GPO Architecture

Group Policy Objects consist of two components stored in different locations.

Group Policy Container (GPC)

  • Stored in Active Directory
  • Contains GPO metadata
  • Version info, status, links
  • Replicated via AD replication

Group Policy Template (GPT)

  • Stored in SYSVOL
  • Contains actual policy settings
  • Scripts, ADM/ADMX files
  • Replicated via DFS-R or FRS
# SYSVOL GPT Location: \\domain.local\SYSVOL\domain.local\Policies\{GPO-GUID}\ # GPT Structure: ├── Machine\ # Computer settings │ ├── Scripts\ # Startup/shutdown scripts │ └── Registry.pol # Registry-based settings ├── User\ # User settings │ ├── Scripts\ # Logon/logoff scripts │ └── Registry.pol # Registry-based settings └── GPT.ini # Version information
GPO = GPC (AD) + GPT (SYSVOL)Group Policy Object{GUID}, Lockdown.gpoGPC (metadata)CN=Policies,CN=System,DC=corp,DC=locallives in AD databasereplicates via AD replGPT (settings)\\corp.local\SYSVOL\policies\{GUID}\lives on diskreplicates via DFSRClients pull both halves at policy refresh (every 90 min)

GPO Processing Order: LSDOU

GPOs are processed in a specific order. Later policies override earlier ones.

Policy Application Order

Local
gpedit.msc
Site
AD Sites
Domain
Root policies
OU
Most specific

Key Concepts

  • Last writer wins - Later GPOs override earlier settings
  • Inheritance - Child OUs inherit parent GPO settings
  • Block Inheritance - Prevents parent GPOs from applying
  • Enforce (No Override) - Forces GPO to apply despite blocking
Enforced GPOs Always Win: An enforced GPO linked at the domain level will override OU policies, even if the OU blocks inheritance.
LSDOU: order of application (last wins)LLocal GPO on the PCapplied firstSSite-linked GPOse.g. AmericasSiteDDomain-linked GPOse.g. Default Domain PolicyOUOU-linked GPOs (most specific)applied last → winsExceptions to the rule:Enforced flag, parent overrides childBlock Inheritance, child ignores parent (unless Enforced is set)

Computer vs User Configuration

GPOs contain two configuration sections that apply to different objects.

Computer Configuration

  • Applies at computer startup
  • Affects machine regardless of user
  • Security settings, startup scripts
  • Software installation (per-machine)
  • Windows settings

User Configuration

  • Applies at user logon
  • Follows user to any computer
  • Desktop settings, folder redirection
  • Logon scripts
  • Application settings

Loopback Processing

Applies user settings based on the computer's OU, not the user's OU.

  • Replace Mode: Only computer's GPO user settings apply
  • Merge Mode: User's GPO settings apply, then computer's override
Common Use Case: Kiosk computers where you want the same restrictive user settings regardless of who logs in. Enable loopback in Replace mode.
Two halves of a GPO, two trigger eventsComputer Configurationapplies at bootPC boots⚙ Firewall rules⚙ Software install⚙ Power policy⚙ Update settingsApplies to where thecomputer object isUser Configurationapplies at logonuser📂 Mapped drives🖥 Desktop shortcuts📁 Folder redirection🌐 IE/Edge settingsApplies to where theuser object is

Creating and Linking GPOs

GPOs must be created in AD and then linked to sites, domains, or OUs to take effect.

Loopback: user GPO follows the PCNormal mode: user policy follows the useruseruser OU policy appliese.g., Sales themewhatever PC they log intoLoopback mode: user policy follows the PC insteaduserlogs intoKiosk PCKiosk OU user policy appliesReplace mode: only PC-side wins. Merge mode: PC adds to user-side

Best Practices

Loopback: user GPO follows the PCNormal mode: user policy follows the useruseruser OU policy appliese.g., Sales themewhatever PC they log intoLoopback mode: user policy follows the PC insteaduserlogs intoKiosk PCKiosk OU user policy appliesReplace mode: only PC-side wins. Merge mode: PC adds to user-side

Best Practices

Best Practices

  • Name GPOs descriptively (e.g., "SEC-Workstation-Baseline")
  • Document purpose in GPO comments
  • Test in pilot OU before production rollout
  • Keep GPOs focused - one purpose per GPO
  • Avoid cluttering Default Domain Policy

Create a GPO first, then link it to the OU where it should apply.

# Create a new GPO with a descriptive name and comment PS C:\> New-GPO -Name "SEC-Workstation-Firewall" -Comment "Enables Windows Firewall on workstations"
# Expected output: # ───────────────────────────────────────── DisplayName : SEC-Workstation-Firewall DomainName : hexworth.local Owner : HEXWORTH\Domain Admins Id : 3f2a1b4c-8d7e-4a91-b6c3-9e5f0d2a8b7c GpoStatus : AllSettingsEnabled Description : Enables Windows Firewall on workstations
Loopback: user GPO follows the PCNormal mode: user policy follows the useruseruser OU policy appliese.g., Sales themewhatever PC they log intoLoopback mode: user policy follows the PC insteaduserlogs intoKiosk PCKiosk OU user policy appliesReplace mode: only PC-side wins. Merge mode: PC adds to user-side

Best Practices (cont.)

Link the GPO to a target OU so it begins applying to objects in that scope.

# Link the firewall GPO to the Workstations OU PS C:\> New-GPLink -Name "SEC-Workstation-Firewall" -Target "OU=Workstations,DC=hexworth,DC=local"
# Expected output: # ───────────────────────────────────────── GpoId : 3f2a1b4c-8d7e-4a91-b6c3-9e5f0d2a8b7c DisplayName : SEC-Workstation-Firewall Enabled : True Enforced : False Target : OU=Workstations,DC=hexworth,DC=local Order : 1

Use the Enforced flag to ensure a GPO applies even when child OUs block inheritance.

# Link a password policy GPO at the domain level with enforcement PS C:\> New-GPLink -Name "SEC-Password-Policy" -Target "DC=hexworth,DC=local" -Enforced Yes
# Expected output: # ───────────────────────────────────────── GpoId : 7a4c9e2d-1b3f-4d8a-a5c7-6e0f3b2d9a1c DisplayName : SEC-Password-Policy Enabled : True Enforced : True Target : DC=hexworth,DC=local Order : 1
Default Policies: Only use Default Domain Policy for account policies (password, lockout, Kerberos). Create separate GPOs for everything else.
Loopback: user GPO follows the PCNormal mode: user policy follows the useruseruser OU policy appliese.g., Sales themewhatever PC they log intoLoopback mode: user policy follows the PC insteaduserlogs intoKiosk PCKiosk OU user policy appliesReplace mode: only PC-side wins. Merge mode: PC adds to user-side

Security Filtering

Security filtering restricts which users or computers a GPO applies to within its linked scope.

GPMC workflow: create, edit, link1. Createin Group Policy Objects2. Editgpedit.msc3. Link to OUactivates the policy# Build it all in PowerShellPS> New-GPO -Name "Lockdown"PS> Set-GPRegistryValue -Name "Lockdown" \-Key "HKLM\Software\Policies\..."PS> New-GPLink -Name "Lockdown" -Target "OU=Sales,DC=corp,DC=local"PS> Get-GPInheritance -Target "OU=Sales,DC=corp,DC=local" show what is inherited and applied

How It Works

GPMC workflow: create, edit, link1. Createin Group Policy Objects2. Editgpedit.msc3. Link to OUactivates the policy# Build it all in PowerShellPS> New-GPO -Name "Lockdown"PS> Set-GPRegistryValue -Name "Lockdown" \-Key "HKLM\Software\Policies\..."PS> New-GPLink -Name "Lockdown" -Target "OU=Sales,DC=corp,DC=local"PS> Get-GPInheritance -Target "OU=Sales,DC=corp,DC=local" show what is inherited and applied

How It Works

How It Works

  • By default, GPOs apply to "Authenticated Users"
  • You can change this to specific groups or users
  • Subjects need Read + Apply Group Policy permissions
  • Removing Authenticated Users is common for targeted GPOs

Check which groups currently have permission to apply a GPO.

# View all security permissions on a GPO PS C:\> Get-GPPermission -Name "SEC-IT-Admin-Tools" -All
# Expected output: # ───────────────────────────────────────── Trustee : Authenticated Users TrusteeType : WellKnownGroup Permission : GpoApply Inherited : False Trustee : Domain Admins TrusteeType : Group Permission : GpoEditDeleteModifySecurity Inherited : False
GPMC workflow: create, edit, link1. Createin Group Policy Objects2. Editgpedit.msc3. Link to OUactivates the policy# Build it all in PowerShellPS> New-GPO -Name "Lockdown"PS> Set-GPRegistryValue -Name "Lockdown" \-Key "HKLM\Software\Policies\..."PS> New-GPLink -Name "Lockdown" -Target "OU=Sales,DC=corp,DC=local"PS> Get-GPInheritance -Target "OU=Sales,DC=corp,DC=local" show what is inherited and applied

How It Works (cont.)

Grant the GpoApply permission to a specific security group so only its members receive the policy.

# Add IT-Administrators to the GPO's security filtering PS C:\> Set-GPPermission -Name "SEC-IT-Admin-Tools" -TargetName "IT-Administrators" -TargetType Group -PermissionLevel GpoApply
# Expected output: # ───────────────────────────────────────── Trustee : IT-Administrators TrusteeType : Group Permission : GpoApply Inherited : False

Remove Authenticated Users so the GPO only targets the group you just added.

# Remove default Authenticated Users so GPO is targeted PS C:\> Set-GPPermission -Name "SEC-IT-Admin-Tools" -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None
Server 2012 R2+ Requirement: Computers need at least Read permission (not Apply) on GPOs for security filtering to work correctly. Ensure "Domain Computers" has Read access.
GPMC workflow: create, edit, link1. Createin Group Policy Objects2. Editgpedit.msc3. Link to OUactivates the policy# Build it all in PowerShellPS> New-GPO -Name "Lockdown"PS> Set-GPRegistryValue -Name "Lockdown" \-Key "HKLM\Software\Policies\..."PS> New-GPLink -Name "Lockdown" -Target "OU=Sales,DC=corp,DC=local"PS> Get-GPInheritance -Target "OU=Sales,DC=corp,DC=local" show what is inherited and applied

WMI Filters

WMI filters apply GPOs conditionally based on system properties queried via WMI.

Common WMI Filter Scenarios

  • Target specific OS versions (Windows 10/11)
  • Target laptops vs desktops (battery present)
  • Target by hardware specs (RAM, disk space)
  • Target VMs vs physical machines

WMI queries target GPOs to machines matching specific hardware or OS criteria.

# WMI Query: Only Windows 11 machines (version 10.0.22xxx) SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.22%" AND ProductType = "1"
# WMI Query: Only laptops (battery must be present) SELECT * FROM Win32_Battery WHERE BatteryStatus IS NOT NULL
# WMI Query: Machines with 8GB+ RAM SELECT * FROM Win32_ComputerSystem WHERE TotalPhysicalMemory >= 8589934592

Create a WMI filter in PowerShell and attach it to a GPO for conditional targeting.

# Create a WMI filter that targets only Windows 11 PS C:\> New-GPWmiFilter -Name "Windows 11 Only" -Expression 'SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.22%"'
# Expected output: # ───────────────────────────────────────── Name : Windows 11 Only Description : Expression : SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.22%" Author : HEXWORTH\Administrator
Performance Impact: WMI filters run on every policy refresh. Complex queries can slow logon. Keep WMI queries simple and test performance.
Security Filtering: limit GPO to specific groupsGPO: PrinterDeploylinked to Sales OU (all users)SalesUsers groupjdoemsmithkbrownpolicy appliesOther users in OUtemp1vendorpolicy filtered outDefault: Authenticated Users. Replace with target group for fine control

Common Policy Settings

Key policy areas every administrator should know.

Category Location Examples
Password Policy Computer > Policies > Windows Settings > Security Min length, complexity, age
Account Lockout Computer > Policies > Windows Settings > Security Threshold, duration, reset
Audit Policy Computer > Policies > Windows Settings > Security Logon events, object access
User Rights Computer > Policies > Windows Settings > Security Log on locally, shut down
Software Restriction Computer > Policies > Windows Settings AppLocker, SRP
Folder Redirection User > Policies > Windows Settings Documents, Desktop, AppData
Password Policy Scope: Password policies only work when linked at the domain level. OU-linked password policies are ignored (use Fine-Grained Password Policies for OU-level control).
WMI Filters: GPO applies only if WMI query is true-- WMI filter: only laptopsSELECT * FROM Win32_ComputerSystemWHERE PCSystemType = 2 1=desktop, 2=laptop, 3=workstation, 4=serverLaptop in OU✓ WMI matchespolicy appliesDesktop in OU✗ WMI not matchpolicy skipped

Group Policy Preferences

Preferences configure settings that users can change, unlike policies which enforce settings.

Policies (Enforced)

  • Settings are locked (grayed out)
  • Removed when GPO no longer applies
  • Stored in registry under Policies key
  • Cannot be changed by users

Preferences (Initial)

  • Settings can be modified by user
  • Persist even if GPO removed
  • More flexible targeting (item-level)
  • Drive maps, printers, scheduled tasks

Common Preferences

  • Drive Mappings: Map network drives based on group membership
  • Printers: Deploy printers to users or computers
  • Scheduled Tasks: Create/manage scheduled tasks
  • Registry: Configure registry values
  • Local Users/Groups: Manage local administrators
What admins actually set in GPOsPassword Policy14 char min, complexity, lockoutAudit Policylog logons, object access, privilege useSoftware Restriction / AppLockerblock PowerShell.exe in user OUFirewall Rulesdomain profile inbound rulesDrive MappingsG:\ → \\fs01\groupsInternet Explorer / Edgehomepage, proxy, searchFolder RedirectionDesktop → \\fs01\users\%username%Software Installationdeploy MSI on bootScriptsstartup, logon, logoff, shutdownPower Planhigh perf for desktops

Troubleshooting Group Policy

When policies don't apply as expected, use these diagnostic approaches.

Preferences: tattooed settings, user can changePolicy (enforced)re-applied every 90 minLocked dimmed UIUser cannot changeEven local admin revertedFor: security baselinesaudit settings, firewallPolicies\Software\...Preference (tattooed)written once, stays unless replacedDefault, editable UIUser can change laterbut next refresh resetsFor: drive mappings,printers, defaultsnative registry keys

Diagnostic Commands

Preferences: tattooed settings, user can changePolicy (enforced)re-applied every 90 minLocked dimmed UIUser cannot changeEven local admin revertedFor: security baselinesaudit settings, firewallPolicies\Software\...Preference (tattooed)written once, stays unless replacedDefault, editable UIUser can change laterbut next refresh resetsFor: drive mappings,printers, defaultsnative registry keys

Diagnostic Commands

Diagnostic Commands

Force an immediate policy refresh on the local machine to test changes right away.

# Force both computer and user policy to refresh now PS C:\> gpupdate /force
# Expected output: # ───────────────────────────────────────── Updating policy... Computer Policy update has completed successfully. User Policy update has completed successfully.

Generate an HTML report showing every GPO that applied (or failed) on this machine.

# Save a full Group Policy results report to HTML PS C:\> gpresult /h C:\GPReport.html
Preferences: tattooed settings, user can changePolicy (enforced)re-applied every 90 minLocked dimmed UIUser cannot changeEven local admin revertedFor: security baselinesaudit settings, firewallPolicies\Software\...Preference (tattooed)written once, stays unless replacedDefault, editable UIUser can change laterbut next refresh resetsFor: drive mappings,printers, defaultsnative registry keys

Diagnostic Commands (cont.)

Get the Resultant Set of Policy for a specific user on a specific computer, useful for remote troubleshooting.

# Generate RSoP report for a remote user/computer pair PS C:\> Get-GPResultantSetOfPolicy -Computer "WS-HR01" -User "jsmith" -ReportType Html -Path "C:\RSoP.html"
# Expected output: # ───────────────────────────────────────── RsopMode : Logging Namespace : \\WS-HR01\Root\Rsop\NS5A3F2B1C_8D7E_4A91_B6C3_9E5F0D2A8B7C LoggingComputer : WS-HR01 LoggingUser : HEXWORTH\jsmith

Pipe a GPO into Get-GPOReport to inspect its full XML configuration for replication verification.

# Export GPO settings as XML for review PS C:\> Get-GPO -Name "SEC-Workstation-Baseline" | Get-GPOReport -ReportType Xml

Common Issues

  • Slow logon: Too many GPOs or complex WMI filters
  • Policy not applying: Security filtering, WMI filter, or inheritance blocked
  • Inconsistent behavior: SYSVOL replication lag
  • Settings reverting: Conflicting GPO with higher precedence
Preferences: tattooed settings, user can changePolicy (enforced)re-applied every 90 minLocked dimmed UIUser cannot changeEven local admin revertedFor: security baselinesaudit settings, firewallPolicies\Software\...Preference (tattooed)written once, stays unless replacedDefault, editable UIUser can change laterbut next refresh resetsFor: drive mappings,printers, defaultsnative registry keys

GPO Backup and Restore

Regularly backup GPOs before making changes and as part of disaster recovery.

Back up every GPO in the domain at once for disaster recovery.

# Backup all GPOs to a shared folder PS C:\> Backup-GPO -All -Path "C:\GPOBackups"
# Expected output: # ───────────────────────────────────────── DisplayName : Default Domain Policy GpoId : 31b2f340-016d-11d2-945f-00c04fb984f9 Id : a1b2c3d4-e5f6-7890-abcd-ef1234567890 BackupDirectory : C:\GPOBackups Timestamp : 1/31/2026 2:15:00 PM DisplayName : SEC-Workstation-Baseline GpoId : 3f2a1b4c-8d7e-4a91-b6c3-9e5f0d2a8b7c Id : b2c3d4e5-f6a7-8901-bcde-f12345678901 BackupDirectory : C:\GPOBackups Timestamp : 1/31/2026 2:15:01 PM

Back up a single GPO with a comment so you know why the snapshot was taken.

# Backup one GPO with a change-management comment PS C:\> Backup-GPO -Name "SEC-Workstation-Baseline" -Path "C:\GPOBackups" -Comment "Before firewall change - 2026-01-31"
Troubleshoot: gpresult, rsop, gpupdatewhat is applied + force refreshPS> gpresult /r text report of applied + denied GPOsPS> gpresult /h C:\rsop.html HTML resultant-set-of-policy reportPS> gpupdate /force apply policy now, do not wait for 90-min refreshPS> Get-GPOReport -Name "Lockdown" -ReportType HTML-Path C:\Lockdown.htmlPS> Get-GPInheritance -Target "OU=Sales,DC=corp,DC=local"

GPO Backup and Restore (cont.)

Restore a GPO to roll back unwanted changes using the backup directory.

# Restore a GPO from its most recent backup PS C:\> Restore-GPO -Name "SEC-Workstation-Baseline" -Path "C:\GPOBackups"
# Expected output: # ───────────────────────────────────────── DisplayName : SEC-Workstation-Baseline DomainName : hexworth.local Owner : HEXWORTH\Domain Admins GpoStatus : AllSettingsEnabled Description : Restored from backup

Import GPO settings from a backup into a new GPO, useful for copying policies between domains.

# Import backed-up settings into a new GPO (cross-domain copy) PS C:\> Import-GPO -BackupGpoName "SEC-Workstation-Baseline" -TargetName "SEC-Workstation-Baseline-NEW" -Path "C:\GPOBackups" -CreateIfNeeded
# Expected output: # ───────────────────────────────────────── DisplayName : SEC-Workstation-Baseline-NEW DomainName : hexworth.local Owner : HEXWORTH\Domain Admins GpoStatus : AllSettingsEnabled
Links Not Included: GPO backups include settings but NOT links. After restoring, you must re-link the GPO to the appropriate OUs, sites, or domains.
Troubleshoot: gpresult, rsop, gpupdatewhat is applied + force refreshPS> gpresult /r text report of applied + denied GPOsPS> gpresult /h C:\rsop.html HTML resultant-set-of-policy reportPS> gpupdate /force apply policy now, do not wait for 90-min refreshPS> Get-GPOReport -Name "Lockdown" -ReportType HTML-Path C:\Lockdown.htmlPS> Get-GPInheritance -Target "OU=Sales,DC=corp,DC=local"

Lab Preview: Group Policy Management

Practice GPO creation, linking, and troubleshooting through both interfaces.

GUI Lab Tasks

  • Explore Group Policy Management Console
  • Create a new GPO
  • Link GPO to an OU
  • Configure security filtering
  • View RSoP results

PowerShell Lab Tasks

  • Create GPOs with New-GPO
  • Manage links with GPLink cmdlets
  • Configure permissions
  • Generate reports
  • Backup and restore GPOs
Scenario: Configure security baselines for the IT department workstations while ensuring specific settings apply only to laptop users.
Start GUI Lab Start PowerShell Lab
Module 10 takeawaysGPC + GPTAD + SYSVOLLSDOUOU wins by defaultComputer/Userboot + logonLoopbackuser policy follows PCSecurity Filterlimit by groupWMI Filterlimit by queryRSoPgpresult /hReady for Group Policy labs and quiz
Course Home