Group Policy Reference

Free reference guide: Group Policy Reference

40 results

About Group Policy Reference

The Group Policy (GPO) Reference is a comprehensive, searchable guide to Windows Group Policy Object administration. It covers the complete policy path hierarchy under both Computer Configuration and User Configuration nodes, with real navigation paths like "Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy" that you can follow directly in the Group Policy Management Console (GPMC). The reference spans eight categories: Computer Config, User Config, Security, Network, Software, Scripts, GPO Management, and Troubleshooting.

Windows system administrators, IT infrastructure engineers, and Active Directory architects are the primary audience. The Security section covers password complexity policies, account lockout thresholds, User Rights Assignment, Security Options (such as disabling last-username display at login), and AppLocker application control rules. The Network section covers DNS client settings, Windows Defender Firewall profiles (Domain, Private, Public), offline file caching, and Policy-based QoS with DSCP value configuration.

The reference also covers operational GPO administration: deploying MSI packages via Software Installation, configuring WSUS update targets, running PowerShell and batch scripts at startup/shutdown and logon/logoff events, and managing policy inheritance with Block Inheritance and Enforced link options. The Troubleshooting section details the gpupdate /force, gpresult /h, rsop.msc, and dcgpofix commands, plus Event Viewer paths for GroupPolicy Operational logs — everything needed to diagnose GPO application failures.

Key Features

Computer Configuration policy paths for Security Settings, Administrative Templates, Windows Firewall, and Advanced Audit Policy
User Configuration paths for Folder Redirection (to network shares with %username%), Start Menu layout, and Control Panel restrictions
Security policies: password complexity/length/expiry, account lockout thresholds, User Rights Assignment, and AppLocker executable/script/installer rules
Network policies: DNS suffix configuration, Windows Defender Firewall domain/private/public profiles, offline file caching, and QoS DSCP tagging
Software deployment via GPO: MSI assignment (auto-install) vs publishing (user-selectable), WSUS update server targeting, and MSIX sideloading
Script execution policies: startup/shutdown and logon/logoff scripts, PowerShell execution policy (AllSigned/RemoteSigned), synchronous vs asynchronous processing
GPO management commands: gpupdate /force, gpresult /r and /h, GPMC (gpmc.msc), WMI filter queries for OS version targeting, and inheritance/Enforced/Block Inheritance control
Troubleshooting tools: HTML GPO reports (gpresult /h), RSoP snap-in (rsop.msc), default GPO restore (dcgpofix), and GroupPolicy Operational event log path

Frequently Asked Questions

What is a Group Policy Object (GPO) and how does it work?

A GPO is a collection of Windows settings that are applied to computers and users in an Active Directory domain. GPOs are linked to Sites, Domains, or Organizational Units (OUs) and processed by clients at startup (Computer Config) and logon (User Config). Settings can cover security, software deployment, scripts, and hundreds of registry-based Administrative Template policies.

How do I force a Group Policy update immediately?

Run gpupdate /force from the command line to immediately re-apply all policies without waiting for the standard refresh interval (default 90 minutes). Use /target:computer or /target:user to refresh only one side. On remote computers, use the GPMC's Group Policy Update right-click option or Invoke-GPUpdate in PowerShell.

How do I check which GPOs are applied to a computer or user?

Run gpresult /r for a text summary of applied GPOs and their source, or gpresult /h C:\report.html to generate a detailed HTML report. You can also open rsop.msc (Resultant Set of Policy) for an MMC snap-in view that shows the winning GPO for each setting.

What is the difference between GPO assignment and publishing for software?

Assignment automatically installs an MSI package — when linked to Computer Configuration, it installs at next startup. When linked to User Configuration, it installs at next logon or when the user first launches the application. Publishing only adds the package to Add/Remove Programs so users can manually install it; it is only available under User Configuration.

How does WMI filtering work for targeting specific OS versions?

A WMI filter is a WMI Query Language (WQL) query attached to a GPO that controls whether the GPO applies to a given computer. For example, SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.%" limits the GPO to Windows 10/11 and Windows Server 2016+. If the WMI query returns false, the entire GPO is skipped for that computer.

What is the difference between Block Inheritance and Enforced?

Block Inheritance on an OU prevents GPOs linked higher in the hierarchy (domain or parent OU) from flowing down to that OU. Enforced (formerly No Override) on a GPO link forces it to apply even to OUs with Block Inheritance enabled. Enforced always wins over Block Inheritance.

How do I deploy a PowerShell script via Group Policy?

Navigate to Computer Configuration > Policies > Windows Settings > Scripts > Startup (or Shutdown), click Add, and specify the .ps1 file path (typically a UNC path like \\server\share\script.ps1). Also ensure the PowerShell execution policy allows the script to run by configuring the Windows PowerShell Administrative Template policy to RemoteSigned or AllSigned.

How do I restore a corrupted Default Domain Policy?

Run dcgpofix /target:both on a Domain Controller to restore both the Default Domain Policy (which contains password and account lockout policies) and the Default Domain Controllers Policy to their factory-default state. This is a last-resort action as it will overwrite any customizations made to those two specific GPOs.