How to Configure Group Policy on Windows Server 2016

April 10, 2026
Tutorials
Comment off

How to Configure Windows Server 2016 Group Policy

Group Policy is a powerful feature of Active Directory that enables centralized management and configuration of operating systems, applications, and user settings across an Active Directory environment. In Windows Server 2016, Group Policy is administered through the Group Policy Management Console (GPMC) and uses Group Policy Objects (GPOs) linked to Active Directory sites, domains, and organizational units (OUs). This guide covers the fundamentals of creating, linking, and troubleshooting GPOs.

Step 1: Install Group Policy Management Tools

Install GPMC on the server or management workstation:

Install-WindowsFeature -Name GPMC

Or via Server Manager: Manage > Add Roles and Features > Features > Group Policy Management.

Step 2: Create a New Group Policy Object

Create a GPO using PowerShell:

New-GPO -Name "Security Baseline" -Domain "corp.local" -Comment "Corporate security baseline policy"

List all GPOs in the domain:

Get-GPO -All | Select-Object DisplayName, GpoStatus, CreationTime

Step 3: Link a GPO to an Organizational Unit

New-GPLink -Name "Security Baseline" -Target "OU=Servers,DC=corp,DC=local" -LinkEnabled Yes -Enforced No

Link to the domain root (applies to all computers and users):

New-GPLink -Name "Security Baseline" -Target "DC=corp,DC=local" -LinkEnabled Yes

Step 4: Configure Policy Settings via PowerShell

Set a registry-based policy value in a GPO:

Set-GPRegistryValue -Name "Security Baseline" `
  -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" `
  -ValueName "EnableLUA" `
  -Type DWord `
  -Value 1

Configure a User Rights Assignment setting:

Set-GPPermissions -Name "Security Baseline" -TargetName "Domain Users" -TargetType User -PermissionLevel GpoApply

Step 5: Configure Password Policy via GPO

The Default Domain Policy controls domain-wide password settings. Modify it with:

Set-GPRegistryValue -Name "Default Domain Policy" `
  -Key "HKLMSYSTEMCurrentControlSetServicesNetlogonParameters" `
  -ValueName "MaximumPasswordAge" `
  -Type DWord `
  -Value 90

For fine-grained password policies, use Active Directory PowerShell:

New-ADFineGrainedPasswordPolicy -Name "AdminPasswordPolicy" `
  -Precedence 10 `
  -MinPasswordLength 14 `
  -PasswordHistoryCount 24 `
  -MaxPasswordAge "30.00:00:00" `
  -MinPasswordAge "1.00:00:00" `
  -LockoutThreshold 5 `
  -LockoutObservationWindow "00:30:00" `
  -LockoutDuration "00:30:00" `
  -ComplexityEnabled $true `
  -ReversibleEncryptionEnabled $false

Step 6: Block GPO Inheritance

Prevent GPOs from higher levels applying to a specific OU:

Set-GPInheritance -Target "OU=Quarantine,DC=corp,DC=local" -IsBlocked Yes

Step 7: Filter GPO Application with Security Filtering

By default, GPOs apply to Authenticated Users. Restrict a GPO to a specific group:

Set-GPPermissions -Name "Security Baseline" -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None
Set-GPPermissions -Name "Security Baseline" -TargetName "AdminWorkstations" -TargetType Group -PermissionLevel GpoApply

Step 8: Run Group Policy Update on Remote Computers

Force an immediate Group Policy update on remote computers:

Invoke-GPUpdate -Computer "Server01" -Force -RandomDelayInMinutes 0

Or update all computers in an OU:

Get-ADComputer -Filter * -SearchBase "OU=Servers,DC=corp,DC=local" | ForEach-Object {
    Invoke-GPUpdate -Computer $_.Name -Force -RandomDelayInMinutes 0
}

Step 9: Generate Group Policy Reports

Generate an HTML report of a GPO’s settings:

Get-GPOReport -Name "Security Baseline" -ReportType HTML -Path "C:ReportsSecurityBaseline.html"

Step 10: Run RSOP (Resultant Set of Policy) Analysis

Determine the effective policy for a user or computer:

gpresult /H C:ReportsRSOP-Server01.html /S Server01 /SCOPE COMPUTER
Get-GPResultantSetOfPolicy -Path C:ReportsRSOP.xml -ReportType XML

View a quick summary from a local machine:

gpresult /r

Troubleshooting GPO Issues

Check GPO application events:

Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" -MaxEvents 30 | Select-Object TimeCreated, Id, Message

Verify GPO replication across domain controllers:

repadmin /replsummary

Summary

Group Policy on Windows Server 2016 is an essential tool for enforcing security configurations, software deployment, and user environment management at scale. By mastering GPO creation, linking, security filtering, and troubleshooting with tools like gpresult and Get-GPResultantSetOfPolicy, administrators can maintain consistent and secure configurations across their entire Active Directory environment.