What is Group Policy & how do GPOs work in Active Directory?

Group Policy is a feature of Microsoft Windows that allows IT admin to manage and set up settings on the operating systems, Windows server and users from a central location. It is a simple and effective way to manage computer, browser, and user settings. This guide will be going to explain what GPO is in an active directory and how GPOs work in AD. Besides this, we will also describe the stepwise procedure for creating and managing group policies in the Active Directory.

What is Group Policy in Active Directory (AD)?

Group Policy in Active Directory is a way to configure or manage settings on computers and users in a specific network. It allows users to set up security settings and software installation and modify user settings the same way on all devices connected to the domain. Moreover, it simplifies administrators and users to set up settings from a single dashboard or console with ease.

Active Directory Group Policy examples:

• Password policies, like setting up a minimum length for the password, requiring specific characters or numbers, etc.
• Control failed login attempts; set up a certain number of attempts to lock the account if failed to login, like 3, 5, 7 or 10.
• Configure settings to automatically install the software on multiple devices.

What are Group Policy Objects (GPO) in AD?

First, we will know what is Group Policy Objects (GPO)? It is a particular collection of settings and rules that control how users can use computers in Windows. Moreover, the GPOs permit users to control a variety of settings.

Examples of the Group Policy Objects:

• Password or security policies for a specific group in an organization, like the Sales department.
• Software and Printer Installation rules across all computers and users in a particular unit or department.

On the other hand, it is the Group Policy Objects (GPO) in Active Directory. It also controls a specific collection of Group Policy settings, which is linked to a site, domain and Organizational Units (OUs).

Also, users need to apply GPO in a particular order. The Group Policy hierarchy is as follows: Local, Site, Domain, and then Organizational Units (OUs).

Types of the GPOs:

Group Policy Objects (GPO) allows the admin to apply various settings on multiple user computers. The section below will share a few common Group Policy Objects (GPO) types.

1. Local Group Policy Objects: Users can use it to apply settings on a specific computer. This policy object will be applied on a computer that is not connected to a network or domain.
   • Users can simply open it in their individual system; press the Windows + R keys, type msc and hit the Enter button.
   • It allows users to apply policies on their local device, e.g., changing the background of individual computers via LGPOs.
2. Domain-based Group Policy Objects: Administrators can implement these settings on multiple computers within a network or domain, like in an organization. They control these settings from a server to many computers that we generally use term domains or networks.
   • You can easily manage and create these policies or settings by using the Group Policy Management Console (GPMC).
   • In case a business wants to have the same background or security settings for each employee device, they will use the domain-based Group Policy Objects to implement everything to many devices at once.
3. Starter Group Policy Objects: Starter Group Policy Objects (SGPOs) are a basic set of settings or rules that IT admin can use to create new policies. It is called a starting point and works like the template for creating new Group Policy Objects.
   • It ensures that the settings are similar across all computers that need the same configuration, like setting up a new computer or device.
   • You can also manage SGPOs using the Group Policy Management Console (GPMC) tool.

How does Group Policy Work?

Group Policy working relies on the Administrator, as it is responsible for creating policies on the user computers. After that, users can download the policy on their device and apply it to the settings. It helps to define how the users and computers behave within a specific domain or network.

In a domain, the users and computers are connected to Active Directory, which allows IT admin to manage them. You can easily link the GPOs to several parts of the Active Directory, such as to a particular group or network.

• Group Policy settings or rules refresh after every 90 minutes. Moreover, users can manually update them using the gpupdate command to apply instantly.
• To create and manage GPOs, there is the Group Policy Management Console Tool.
• You can use the Resultant Set of Policy (RSoP) Tool to know which policy is in effect and understand which policy is applied to a specific computer.
• It also helps administrators to ensure security and simplify the user interface over a small or big network or domain.
• The GPOs can also apply settings like requiring a password if the system is inactive for a specific time and many more.

GPOs processing order (Group Policy Hierarchy):

Group Policy Objects are applied in a specific order that examines implemented settings on users and computers in the Active Directory. The GPO processing order is as follows:

• Local Group Policy: It is the first in the order and applied only on an individual computer. This policy is processed when users log in or set up a new computer in the organization.
• Site-based GPOs: These settings affect all the computers within a site. It is linked with the Active Directory site where all the computers are located. In addition, it is applied after the Local Group Policy and is helpful for processing rules for all users within a network.
• Domain-level GPOs: Domain-based GPOs are linked with the entire network or domain. Also, it is applied after the site-based GPOs and to all users and computers within a specific domain.
• Organizational Unit (OU) GPOs: These rules or settings are applied to a specific Organizational Unit (OU) in the Active Directory. Admin implements these GPOs for different units or departments of the organizations. In sequence, it is the last one that is processed.

How to create and manage Group Policies in Active Directory?

Users need to create and manage Group Policies for applying settings on multiple users and computers in a network. For this, users require the Group Policy Management Console Tool and then follow the upcoming steps to create and manage GPOs in Active Directory or AD. We will explain the complete procedure by breaking it down into multiple parts to provide users with a better understanding of creating group policies.

Part 1: Guide to create and edit Group Policies

Follow the stepwise guide below to create Group Policies.

• First, hit the Windows + R keys, type gpmc.msc, and press Enter. (If not found, kindly click here and download the GPMC tool first)
• After that, spread the forest and domain from the left panel.
• Then, right-click on the Group Policy Objects, and a context menu will appear.
• Choose New from the appeared menu to create a new GPO.
• Next, give a name to your GPO and hit the OK button.
• Click the newly created GPO and hit the Edit button to edit the GPO.
• This will open the Group Policy Management Editor, where you can modify rules or settings.
• Then, proceed to Computer Configuration to configure settings on the computers and move to User Configuration to configure settings on the users.
• Please spread the Categories section to find and modify the particular policy.
• Once you are done editing GPO, close the Group Policy Management Editor on your system.

Part 2: Steps to link a GPO

• Find the site, domain or Organization Unit where you want to link GPO and right-click on it.
• After that, click the link an Existing GPO option.
• Then, a list will appear on your screen, select your GPO and tap the OK button.

These steps will help you to easily link a GPO to a domain, network, site or Organizational Unit.

Part 3: How to Manage GPOs?

Now, we will explore the guide to manage GPOs in the following section, like view settings, backup, restore, or delete GPOs.

• GPO Settings: Open the GPMC tool, right-click on the GPO and select Edit to view GPO settings.
• Apply a GPO: Make a right-click on the desired GPO and choose Enforce. Moreover, this can also be implemented to prevent lower-level policies from going over it.
• Disable Inheritance: If you want to avoid higher-level GPOs from linking to a specific Organization Unit (OU), you need to right-click the OU and choose the Block Inheritance
• Backup and Restore GPOs: To back up a specific GPO, proceed with right-click on the GPO. Then, tap the Backup option and select a location where you want to save the GPO copy.
  • To restore from a backup, right-click the selected GPO and choose the Manage Backup option to restore GPO from a backup.
• Removing a GPO: If you do not need GPO anymore and you want to remove it permanently, then right-click on it and continue with the Delete option.
• Instant GPO Update: You first need to launch the command prompt and run the gpupdate /force command on the computer to update GPO settings quickly.

Part 4: GPO testing procedure

• In the Group Policy Management Console, go to the Group Policy Results and right-click on it.
• Then, choose the Group Policy Results Wizard to view which policy is applied on a specific computer and user.
• Also, you can check the Event Viewer on the target computer to know the issues in processing the Group Policy.

Let us understand the Group Policy Preferences

Group Policy Preferences are helpful in setting up the initial configurations and also allow users to remove them. It provides more flexibility to users for managing and applying settings on the users and computers.

In addition, the Group Policy Preferences is changeable by users, but they can’t modify Group Policy settings. It is useful when users are looking to map network drives, install Printers and Software, add desktop shortcuts and modify registry settings.

1. Create and link Group Policy using Preferences:

• Open the GPMC tool: Tap the Windows + R keys at the same time, type gpmc.msc and press the Enter key.
• Next, kindly select the desired domain or OU and right-click on it.
• Then, tap the Create a GPO and continue with the Link it Here option.
• Type a name for your GPO and click the OK button.
• After that, go to the newly created GPO, make a right click and click the Edit button.
• The GPO editor will open. Then, expand the User or Computer Configuration per your accordance.
• Thereafter, spread the Preferences, where you will see a lot of options.
• Select the Preference by right-clicking on it, like Drive Maps and click the New.
• Then, pick the type of item you want to link and enter the required details, such as drive path, etc.
• Modify other changes, like removing prior drive mappings if needed.
• Now, tap the OK button to save the preferences.
• Ensure that the GPO is linked to the desired OU or network. After that, apply the GPO settings on users and computers.

2. Manage Group Policy Preferences

Here, we will share how you can delete preferences and use item-level targeting to set the conditions when GPO will apply. Let us see how to manage GPO preferences.

• Delete Preferences: Look for the preference item you want to disable and right-tap on it. Then, select the Delete option to remove the preferences.
• Item-level Targeting: You can easily set the targeting conditions when configuring the preferences for a group network or specific user settings.

Group Policy Preference allows users to manage and configure settings more comprehensively. Also, always test the GPO before applying to avoid hassles for other users.

To conclude, the best is yet to come!

This article defines what GPO is, GPO in Active Directory, how it works, Group Policy Preferences and the procedure to create and manage Group Policies.  We are very well aware that while working with Microsoft Exchange, users may face unexpected situations where they need to backup or recover EDB files. So, we are sharing the Shoviv Exchange Recovery Manager, a standalone solution to export the Exchange database, EDB migration, database recovery and many more.

Now the decision is yours! Choose wisely and also try this tool’s free evaluation version to evaluate its functionality and efficiency. If you need assistance in managing Exchange database files, contact our technical support team. Our team is present 24/7 to assist you.

• Author
• Recent Posts

Vishesh Kumar

Vishesh Kumar is working as a technical content writer with Shoviv Software. He has a degree in Mass Communication with years of experience in creating engaging and informative content. Vishesh likes looking into a variety of subjects, from technology to lifestyle and making complex topics easy. He keeps updated on the latest on-going trends and enjoys new experiences when not writing.

Latest posts by Vishesh Kumar (see all)

• How to Archive, Restore, or Delete Microsoft Teams Chats? - December 11, 2024
• New Outlook vs Old Outlook for Windows – A Quick Comparison - December 6, 2024
• 10 Best Microsoft Office 365 Migration Tools in 2025 - December 2, 2024