Group Policy Management

Group Policy is an Active Directory management technology for Windows that provides centralized management of configuration settings. While it isn’t the only available management solution — PowerShell Desired State Configuration (DSC) and Mobile Device Management (MDM) can also be used — Group Policy is the recommended technology for domain-joined client devices because it provides more granular control than other solutions.

Group Policy Management Console

Group Policy settings are configured in Group Policy objects (GPOs). You can link GPOs to domains, sites and organizational units (OUs). For even more control, GPOs can be applied according to the results of Windows Management Instrumentation (WMI) filters, although WMI filters should be used sparingly because they can significantly increase policy processing time.

The Group Policy Management Console (GPMC) is a built-in Windows administration tool that enables administrators to manage Group Policy in an Active Directory forest and obtain data for troubleshooting Group Policy. You can find the Group Policy Management Console in the Tools menu of Microsoft Windows Server Manager. It is not a best practice to use domain controllers for everyday management tasks, so you should install the Remote Server Administration Tools (RSAT) for your version of Windows.

Installing the Group Policy Management Console

If you are using Windows 10 version 1809 or later, you can install GPMC using the Settings app:

  1. Open the Settings app by pressing WIN+I.
  2. Click Apps under Windows Settings.
  3. Click Manage optional features.
  4. Click + Add a feature.
  5. Click RSAT: Group Policy Management Tools and then click Install.

Group Policy Management Installing the Group Policy Management Console using the Setting app interface

Figure 1. Installing the Group Policy Management Console using the Setting app interface

If you are using an older version of Windows, you’ll need to download the right version of RSAT from Microsoft’s website.

For convenience, you might want to also install Server Manager. But if you choose not to, you can add GPMC to a Microsoft Management Console (MMC) and save the console.

Using the Group Policy Management Console

Every AD domain has two default GPOs:

  • Default Domain Policy, which is linked to the domain
  • Default Domain Controllers Policy, which is linked to the domain controller’s OU

You can see all the GPOs in a domain by clicking the Group Policy Objects container in the left pane of GPMC.

Group Policy Management Interface of the Group Policy Management Console

Figure 2. Interface of the Group Policy Management Console

Create a New Group Policy Object

Don’t change either the Default Domain Controllers Policy or the Default Domain Policy. The best way to add your own settings is to create a new GPO. There are two ways to create a new GPO:

  • Right-click the domain, site or OU to which you want to link the new GPO and select Create a GPO in this domain, and Link it here… When you save the new GPO, it will be linked and enabled immediately.
  • Right-click the Group Policy Objects container and select New from the menu. You will need to manually link the new GPO by right-click a domain, site or OU and selecting Link an Existing GPO. You can do this at any time.

Regardless of how you create a new GPO, in the New GPO dialog you must give the GPO a name, and you can choose to base it on an existing GPO. See the next section for information about the other options.

Edit a Group Policy Object

To edit a GPO, right click it in GPMC and select Edit from the menu. The Active Directory Group Policy Management Editor will open in a separate window.

Group Policy Management Interface of the Group Policy Management Editor

Figure 3. Interface of the Group Policy Management Editor

GPOs are divided into computer and user settings. Computer settings are applied when Windows starts, and user settings are applied when a user logs in. Group Policy background processing applies settings periodically if a change is detected in a GPO.

Policies vs Preferences

User and computer settings are further divided into Policies and Preferences:

  • Policies do not tattoo the registry — when a setting in a GPO is changed or the GPO falls out of scope, the policy setting is removed and the original value is used instead. Policy settings always supersede an application’s configuration settings and will be greyed out so that users cannot modify them.
  • Preferences tattoo the registry by default, but this behavior is configurable for each preference setting. Preferences overwrite an application’s configuration settings but always allow users to change the configuration items. Many of the configurable items in Group Policy Preferences are those that might have been previously configured using a login script, such as drive mappings and printer configuration.

You can expand Policies or Preferences to configure their settings. These settings will then be applied to computer and user objects that fall into the GPO’s scope. For example, if you link your new GPO to the domain controller’s OU, the settings will be applied to computer and user objects located in that OU and any child OUs. You can use the Block Inheritance setting on a site, domain or OU to stop GPOs that are linked to parent objects from being applied to child objects. You can also set the Enforced flag on individual GPOs, which overrides the Block Inheritance setting and any configuration items in GPOs that have higher precedence.

GPO Precedence

Multiple GPOs can be linked to domains, sites and OUs. When you click on one of these objects in GPMC, a list of linked GPOs will appear on the right on the Linked Group Policy Objects tab. If there is more than one linked GPO, GPOs with a higher link order number take priority over settings configured in GPOs with a lower number.

You can change the link order number by clicking on a GPO and using the arrows on the left to move it up or down. The Group Policy Inheritance tab will show all applied GPOs, including those inherited from parent objects.

Group Policy Management Information about all applied GPOs in GPMC

Figure 4. Information about all applied GPOs in GPMC

Advanced Group Policy Management

Advanced Group Policy Management (AGPM) is available as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance customers. Unlike GPMC, AGPM is a client/server application where the server component stores GPOs offline, including a history for each GPO. GPOs managed by AGPM are called controlled GPOs because they are managed by the AGPM service and administrators can check them in and out, much like you might check files or code in and out of GitHub or a document management system.

AGPM provides greater control over GPOs than is possible with GPMC. In addition to providing version control, it enables you to assign roles like Reviewer, Editor and Approver to Group Policy administrators, which helps you implement strict change control throughout the entire GPO lifecycle. AGPM auditing also gives greater insight into Group Policy changes.

IT consultant and author specializing in management and security technologies. Russell has more than 15 years of experience in IT, he has written a book on Windows security, and he coauthored a text for Microsoft’s Official Academic Course (MOAC) series.