How to Configure Group Policy Starter GPOs on Windows Server 2016

April 25, 2026
Tutorials
Comment off

How to Set Up Windows Server 2016 Group Policy Starter GPOs

Starter GPOs are templates for Group Policy Objects. They capture a baseline collection of Administrative Template settings that can be used as the starting point for new GPOs, ensuring consistency across all policies created in the domain. On Windows Server 2016, Starter GPOs are managed through the Group Policy Management Console and PowerShell, and they can also be exported and imported to share baselines across forests or organisations. This tutorial covers creating, customising, applying, and exporting Starter GPOs.

Understanding Starter GPOs

A Starter GPO contains only Administrative Template settings (those derived from ADMX files). It cannot hold security settings, software installation, scripts, or preferences. When you create a new GPO from a Starter GPO, all the Administrative Template settings from the Starter are copied into the new GPO as a starting configuration. The new GPO is then fully independent—changes to the Starter do not propagate back to GPOs already created from it.

Starter GPOs are stored in the domain’s SYSVOL under StarterGPOs and replicate to all domain controllers alongside regular GPOs.

Initialising the Starter GPOs Folder

Before creating a Starter GPO, you must initialise the StarterGPOs folder in SYSVOL. In GPMC, click the Starter GPOs node under your domain. If the folder does not exist, GPMC will display a button labelled Create Starter GPOs Folder. Click it. Alternatively, initialise it from PowerShell:

# Trigger GPMC to create the folder by accessing the Starter GPOs node programmatically
$gpmc = New-Object -ComObject GPMgmt.GPM
$constants = $gpmc.GetConstants()
$domain = $gpmc.GetDomain("contoso.com", "", $constants.UseAnyDC)
$domain.InitializeConstants | Out-Null

Or simply create the folder manually in SYSVOL:

New-Item -ItemType Directory -Path "\contoso.comSYSVOLcontoso.comStarterGPOs" -Force

Creating a Starter GPO in GPMC

In GPMC, right-click the Starter GPOs node and select New. Provide a descriptive name such as Baseline – Workstation Security or Baseline – Server Hardening. Optionally add a comment describing the purpose and intended use of this baseline. Click OK.

Right-click the new Starter GPO and select Edit to open it in a restricted version of the Group Policy Management Editor that only displays Administrative Templates. Configure the desired baseline settings. Common entries for a workstation baseline include:

– Computer Configuration > Administrative Templates > Windows Components > Windows Update — configure automatic update behaviour
– User Configuration > Administrative Templates > Control Panel — restrict access to Control Panel items
– Computer Configuration > Administrative Templates > System — configure remote assistance and error reporting settings

Creating a Starter GPO with PowerShell

New-GPStarterGpo -Name "Baseline - Workstation Security" `
    -Comment "Standard workstation Admin Template baseline. Created $(Get-Date -Format 'yyyy-MM-dd')"

List all existing Starter GPOs:

Get-GPStarterGpo -All | Select-Object DisplayName, StarterGpoType, Description, CreationTime

Creating a New GPO from a Starter GPO

When creating a new GPO, specify the Starter GPO as the starting configuration. This copies all its Administrative Template settings into the new GPO:

New-GPO -Name "Sales Workstation Policy" `
    -StarterGpoName "Baseline - Workstation Security" `
    -Comment "GPO for Sales OU workstations"

Link the new GPO to the appropriate OU:

New-GPLink -Name "Sales Workstation Policy" `
    -Target "OU=Sales,DC=contoso,DC=com" `
    -LinkEnabled Yes -Order 1

Exporting a Starter GPO as a Cabinet File

Starter GPOs can be exported as .cab files for sharing with other domains or for backup purposes. In GPMC, right-click the Starter GPO and select Save as Cabinet File. Choose a save location and click OK.

From PowerShell:

$starter = Get-GPStarterGpo -Name "Baseline - Workstation Security"
# Export via GPMC COM object
$gpmc = New-Object -ComObject GPMgmt.GPM
$constants = $gpmc.GetConstants()
$domain = $gpmc.GetDomain("contoso.com","", $constants.UseAnyDC)
$starterGPO = $domain.GetStarterGPO("{$($starter.Id)}")
$starterGPO.Save("C:ExportsWorkstationBaseline.cab")

Importing a Starter GPO Cabinet File

To import a Starter GPO from a cabinet file in GPMC, right-click the Starter GPOs node and select Load Cabinet. Browse to the .cab file and click OK. The Starter GPO is recreated with a new GUID but the same settings, making it immediately available as a template.

Microsoft-Provided Starter GPOs

Microsoft ships a set of Starter GPOs with GPMC that align with security best practices. Access them by clicking the Load Starter GPOs button in the Starter GPOs GPMC interface (if available) or download the Security Compliance Toolkit from the Microsoft Download Center. The toolkit includes .cab files for domain, member server, and workstation baselines that can be imported directly as Starter GPOs or regular GPOs:

# After downloading the Security Compliance Toolkit, import a baseline GPO
Import-GPO -BackupGpoName "MSFT Windows Server 2016 - Domain Security" `
    -TargetName "Server Baseline - Domain Security" `
    -Path "C:SecurityBaselineGPO Backups" `
    -CreateIfNeeded

Starter GPOs reduce the effort required to maintain consistent policy baselines across a large environment and make onboarding new GPO administrators more straightforward by giving them a well-defined, pre-approved starting configuration.