Group Policy is one of the most powerful management tools in a Windows Server environment. A single GPO can configure thousands of machines simultaneously — controlling everything from desktop wallpaper to USB drive access to password complexity. Mastering Group Policy means mastering Windows administration.
How Group Policy Works
Group Policy Objects (GPOs) are collections of settings stored in the SYSVOL share on domain controllers and replicated to all DCs in the domain. When a computer starts up or a user logs in, the Windows client contacts a domain controller and downloads applicable GPOs, then applies them in order.
The processing order is LSDOU: Local policy, Site-linked GPOs, Domain-linked GPOs, OU-linked GPOs. GPOs applied later override earlier ones — so an OU GPO wins over a domain GPO for the same setting, unless the domain GPO is set to Enforced.
Opening the Group Policy Management Console
On a domain controller or a machine with RSAT installed, open GPMC from Server Manager > Tools, or run gpmc.msc. The left panel shows your forest, domains, sites, and OUs. Under each OU you can see linked GPOs. The Group Policy Objects container under your domain holds all GPOs regardless of where they are linked.
Creating a New GPO
Right-click the Group Policy Objects container and choose New. Give it a descriptive name — include the target scope and purpose, like IT-Workstations-ScreenLock or All-PasswordPolicy. Then right-click your target OU and choose Link an Existing GPO to attach it.
Alternatively, right-click an OU directly and choose Create a GPO in this domain and Link it here — this creates and links in one step.
Editing GPO Settings
Right-click any GPO and choose Edit to open the Group Policy Management Editor. Settings are split into two trees:
- Computer Configuration: Applied when the machine starts, regardless of who logs in. Use for security settings, software installation targeting machines, and startup scripts.
- User Configuration: Applied at logon, following the user account. Use for desktop restrictions, drive mappings, and logon scripts.
Under each tree are Policies (enforced settings that users cannot override) and Preferences (default settings that users can change).
Practical Example: Enforce Screen Lock
Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Enable Interactive logon: Machine inactivity limit and set it to 600 seconds (10 minutes). This locks any machine in the linked OU after 10 minutes of inactivity, regardless of the user's local screensaver settings.
Practical Example: Map a Network Drive
Navigate to: User Configuration > Preferences > Windows Settings > Drive Maps
Right-click > New > Mapped Drive. Set the action to Create, choose a drive letter (e.g., H:), and enter the UNC path (\srv-fileshome\%USERNAME%). The %USERNAME% variable maps each user to their own subfolder automatically.
Use Item-level targeting (the common tab) to apply the mapping only to specific security groups, OUs, or IP ranges — this makes a single GPO flexible enough to handle multiple scenarios.
Security Filtering
By default, GPOs apply to all Authenticated Users. To restrict a GPO to a specific group, remove Authenticated Users from the Security Filtering tab and add your target group. Remember to keep Authenticated Users in the Delegation tab with Read permission — without read permission, the GPO cannot be processed at all.
WMI Filters
WMI filters let you conditionally apply a GPO based on machine properties. For example, apply a GPO only to Windows 11 machines:
# WMI Query for the filter:
# SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.2%" AND ProductType = "1"Create the WMI filter in GPMC under the WMI Filters container, then link it to your GPO from the GPO's Scope tab.
Troubleshooting GPO Application
When a GPO does not apply as expected, these commands diagnose the problem:
# Force an immediate Group Policy refresh
gpupdate /force
# Show which GPOs applied and which were filtered
gpresult /r
# Full HTML report of applied settings
gpresult /h C:Tempgpreport.html /fThe HTML report is the most detailed — it shows every applied and denied GPO with reasons, which is invaluable when settings unexpectedly conflict or fail to apply.