Group Policy is the backbone of Windows endpoint management in Active Directory environments. Through Group Policy Objects (GPOs), administrators can enforce security settings, configure user environments, restrict access to system tools, and deploy software — all from a central management console, without touching individual machines. This guide covers the Group Policy settings that matter most for managing Windows 10 and 11 workstations in a business environment.
Group Policy Basics
Group Policy is applied in the following order, with each layer overriding the previous for conflicting settings:
- Local Group Policy — Settings on the machine itself (gpedit.msc)
- Site — GPOs linked to the Active Directory site
- Domain — GPOs linked to the domain root (apply to all computers and users)
- Organizational Unit (OU) — GPOs linked to specific OUs. Most specific wins.
The acronym LSDOU is commonly used to remember this order. Settings are cumulative unless there are conflicts, and Computer Configuration settings take effect at boot, while User Configuration settings take effect at logon.
Essential Tools
- Group Policy Management Console (GPMC) — gpmc.msc — Create, link, and manage GPOs across the domain
- Group Policy Management Editor — Edit individual GPO settings
- Resultant Set of Policy (RSoP) — gpresult.exe — See which policies are actually being applied to a user or machine
- Local Group Policy Editor — gpedit.msc — Edit local policy on a single machine (does not affect domain-joined machines when conflicting domain policy exists)
# Force Group Policy refresh on local machine
gpupdate /force
# Show applied policies for the current user and computer
gpresult /r
# Generate an HTML report of applied policies
gpresult /h C:ReportsGPOReport.html /f
# Force GP refresh on a remote machine
Invoke-GPUpdate -Computer "PC001" -Force -RandomDelayInMinutes 0Security Settings: The Password Policy
The domain password policy is configured in the Default Domain Policy GPO:
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Recommended settings aligned with NIST 800-63B (2024 guidance):
- Minimum password length — 12 characters or more
- Password must meet complexity requirements — Enabled
- Maximum password age — 0 (no expiry) if MFA is enforced; 90 days if not
- Enforce password history — 24 (prevent reuse of last 24 passwords)
Account Lockout Policy
Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
- Account lockout threshold — 5 invalid attempts (balance security vs helpdesk load)
- Account lockout duration — 15 minutes (auto-unlock) or 0 (require admin unlock)
- Reset account lockout counter after — 15 minutes
Restricting Access to Control Panel and Settings
User Configuration > Administrative Templates > Control Panel
- Prohibit access to Control Panel and PC Settings — Prevents users from changing system settings. Suitable for kiosks or restricted workstations.
- Hide specified Control Panel items — Selectively hide specific applets (e.g., hide "Programs and Features" to prevent uninstalls).
Controlling Windows Update
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience
- Configure Automatic Updates — Set to option 4 (Auto download and schedule the install) and specify a maintenance window (e.g., Sunday 03:00).
- Do not connect to any Windows Update Internet locations — Forces updates through WSUS only.
For environments using WSUS (Windows Server Update Services):
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service
- Specify intranet Microsoft update service location — Set to your WSUS server URL (e.g.,
http://wsus.domain.local:8530)
Removing Access to the Command Prompt and PowerShell
User Configuration > Administrative Templates > System
- Prevent access to the command prompt — Hides cmd.exe from users. Note: this does not prevent PowerShell, which should be addressed separately.
To restrict PowerShell, configure Software Restriction Policies or AppLocker under:
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker
AppLocker is more flexible and granular than Software Restriction Policies and supports whitelisting specific scripts, executables, and installers.
Drive Mapping via Group Policy Preferences
Group Policy Preferences (not traditional GP settings) allow you to map network drives that users can disconnect if needed:
User Configuration > Preferences > Windows Settings > Drive Maps
- Right-click Drive Maps > New > Mapped Drive
- Set Action to Create, enter the UNC path (
\fileserverSharedDocs), and choose a drive letter - Use Item Level Targeting to apply the mapping only to specific security groups, OUs, or machine types
Wallpaper and Desktop Restrictions
User Configuration > Administrative Templates > Desktop
- Desktop Wallpaper — Force a corporate wallpaper. Set the wallpaper path to a UNC path (
\fileserverITwallpaper.jpg) or a local path that exists on all machines. - Prevent changing desktop background — Locks the wallpaper so users cannot change it.
Verifying Policy Application
# List all GPOs applied to the current machine
gpresult /scope computer /v
# List GPOs applied to a specific user on a specific machine
gpresult /user domainusername /scope user /r
# Check for Group Policy processing errors in the event log
Get-WinEvent -FilterHashtable @{LogName="System"; ProviderName="Microsoft-Windows-GroupPolicy"} |
Where-Object { $_.Level -le 3 } |
Select-Object TimeCreated, Id, Message -First 20Group Policy errors typically appear in the System event log under the Microsoft-Windows-GroupPolicy source. Event ID 1085 indicates a specific extension (such as Drive Maps) failed to apply, and the message will identify the GPO and the error code.