How to Configure Group Policy on Windows Server

Group Policy is one of the most powerful tools in Windows Server administration. It lets you centrally configure settings across hundreds of computers and users — security policies, software restrictions, desktop configurations, login scripts, and much more — without touching each machine individually. This guide covers how Group Policy works and how to create and apply Group Policy Objects (GPOs) effectively.

How Group Policy Works

Group Policy settings are stored in Group Policy Objects (GPOs). Each GPO is a container of settings that can be linked to a Site, Domain, or Organisational Unit (OU) in Active Directory. When a computer starts up or a user logs in, Windows retrieves and applies all GPOs that apply to that computer or user account.

GPOs are processed in a specific order, with later settings overwriting earlier ones if they conflict:

1. Local Policy — settings on the local machine (lowest priority)
2. Site GPOs — linked to the AD site
3. Domain GPOs — linked to the domain
4. OU GPOs — linked to the specific OU containing the object (highest priority)

This hierarchy is remembered using the acronym LSDOU. Computer settings apply at startup; user settings apply at login.

Open the Group Policy Management Console

The primary tool is the Group Policy Management Console (GPMC). Open it from Server Manager → Tools → Group Policy Management, or run gpmc.msc. If it is not installed, add it via Server Manager → Add Roles and Features → Remote Server Administration Tools → Group Policy Management Tools.

Create a New GPO

1. In GPMC, expand the forest and domain in the left panel
2. Right-click Group Policy Objects → New
3. Give the GPO a descriptive name (e.g. “Workstation Security Policy” or “Disable USB Storage”)
4. Click OK — the GPO is created but not yet linked to anything

Edit a GPO

1. Right-click the GPO → Edit
2. The Group Policy Management Editor opens, showing two main sections:
   • Computer Configuration: settings applied to the computer at startup, regardless of who logs in
   • User Configuration: settings applied to the user at login, on any computer they use
3. Within each section, settings are organised under:
   • Policies → Software Settings: software installation
   • Policies → Windows Settings: scripts, security settings, folder redirection
   • Policies → Administrative Templates: the largest section — thousands of registry-based settings covering every aspect of Windows behaviour

Link a GPO to an OU

Creating a GPO does not apply it — you must link it to a location in AD:

1. In GPMC, navigate to the OU, domain, or site you want to apply the GPO to
2. Right-click it → Link an Existing GPO
3. Select the GPO and click OK

The GPO now applies to all user and computer accounts in that OU (and child OUs, unless inheritance is blocked).

Commonly Used GPO Settings

• Password Policy — Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy. Set minimum length, complexity, and expiry.
• Account Lockout Policy — same location. Set lockout after X failed attempts to reduce brute-force risk.
• Disable USB Storage — Computer Configuration → Administrative Templates → System → Removable Storage Access → Deny all access.
• Map Network Drives — User Configuration → Preferences → Windows Settings → Drive Maps. Map shares by group membership using item-level targeting.
• Deploy Printers — User or Computer Configuration → Preferences → Control Panel Settings → Printers.
• Restrict Control Panel — User Configuration → Administrative Templates → Control Panel → Prohibit access to Control Panel.
• Disable Windows features — Computer or User Configuration → Administrative Templates → Windows Components.

Force an Immediate GPO Update

By default, GPOs refresh every 90 minutes (plus a random offset). To apply changes immediately:

# Update GPO on the local machine
gpupdate /force

# Update GPO on a remote computer
Invoke-GPUpdate -Computer WORKSTATION01 -Force

# Update all computers in an OU remotely from GPMC
# Right-click the OU → Group Policy Update

Troubleshoot GPO Application with gpresult

gpresult shows which GPOs have been applied to a computer or user, and which were filtered out:

# Show applied GPOs for the current user on this computer
gpresult /r

# Generate a full HTML report
gpresult /h C:\Temp\gpo-report.html

# Show GPO results for a specific user
gpresult /user CONTOSO\jsmith /r

In GPMC, right-click Group Policy Results → run the wizard to generate a Resultant Set of Policy (RSoP) report showing exactly what is applied and why.

GPO Filtering

By default a GPO applies to all objects in the linked location. Restrict it further with:

• Security filtering: in GPMC, select the GPO → Scope tab → Security Filtering. Remove “Authenticated Users” and add a specific group to apply the GPO only to members of that group.
• WMI filtering: apply the GPO only if a WMI query returns true — for example, only apply to Windows 11 machines.

Default Domain Policy — Handle with Care

The Default Domain Policy GPO applies to all objects in the domain. It should be reserved for domain-wide settings — specifically password policy and account lockout policy. Do not add application-specific or departmental settings here. Create separate GPOs linked to specific OUs instead. Keeping the Default Domain Policy clean makes the environment easier to manage and troubleshoot.

Related Guides

• How to Join a Server to a Domain
• How to Check Active Directory Replication Health
• How to Reset a Domain User Password in Active Directory