How to Create and Manage Group Policy Objects on Windows Server 2012 R2

How to Create and Manage Group Policy Objects on Windows Server 2012 R2

Group Policy is one of the most powerful administrative tools in a Windows Server environment. Group Policy Objects (GPOs) allow administrators to enforce security settings, software installation, desktop configuration, and hundreds of other settings across users and computers in an Active Directory domain. Windows Server 2012 R2 includes a mature Group Policy infrastructure with PowerShell support through the GroupPolicy module, the Group Policy Management Console (GPMC), and the Group Policy Object Editor. This guide covers creating, configuring, linking, and troubleshooting GPOs.

Prerequisites

Group Policy management requires Domain Admin rights or membership in the Group Policy Creator Owners group. The Group Policy Management feature must be installed, which can be done via Server Manager or PowerShell:

Install-WindowsFeature GPMC
Import-Module GroupPolicy

The GPMC can also be installed on Windows 8.1 workstations as part of RSAT to manage Group Policy remotely.

Understanding GPO Processing Order

Before creating GPOs, understand the LSDOU processing order: Local, Site, Domain, and Organisational Unit. GPOs are applied in this order, with later GPOs overwriting earlier ones for conflicting settings. Multiple GPOs linked to the same level are processed in link order (highest link order number is processed first, meaning lowest link order wins for conflicts). Enforced GPOs cannot be blocked by child containers and always win regardless of link order.

Creating a New GPO

Create GPOs using the New-GPO cmdlet. Always use descriptive names that indicate the purpose and scope of the GPO:

# Create a new GPO
New-GPO -Name "Finance-PasswordPolicy" `
    -Comment "Password complexity and length requirements for Finance OU" `
    -Domain "contoso.com"

# Create a GPO and immediately link it to an OU
New-GPO -Name "Workstations-SecurityBaseline" |
    New-GPLink -Target "OU=Computers,OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -LinkEnabled Yes

Configuring GPO Settings with PowerShell

The Set-GPRegistryValue cmdlet sets registry-based policy settings. Many Group Policy preferences and administrative template settings write to specific registry keys:

# Set screen saver timeout (Computer Configuration)
Set-GPRegistryValue -Name "Workstations-SecurityBaseline" `
    -Key "HKCUSoftwarePoliciesMicrosoftWindowsControl PanelDesktop" `
    -ValueName "ScreenSaveTimeOut" `
    -Type String `
    -Value "900"

# Enable screen saver password
Set-GPRegistryValue -Name "Workstations-SecurityBaseline" `
    -Key "HKCUSoftwarePoliciesMicrosoftWindowsControl PanelDesktop" `
    -ValueName "ScreenSaverIsSecure" `
    -Type String `
    -Value "1"

# Disable USB storage devices
Set-GPRegistryValue -Name "Workstations-SecurityBaseline" `
    -Key "HKLMSYSTEMCurrentControlSetServicesUSBSTOR" `
    -ValueName "Start" `
    -Type DWord `
    -Value 4

Configuring Security Settings

Security settings within GPOs control account policies, local policies, event log settings, and more. These are typically configured through the Group Policy Object Editor GUI under Computer Configuration > Windows Settings > Security Settings. Key areas include:

Account Policies configure password history (24 passwords remembered), minimum password age (1 day), maximum password age (60 days), minimum password length (12 characters), and account lockout threshold. Audit Policies define what events are logged. User Rights Assignment controls which users can log on locally, access the system over the network, or manage auditing and security logs.

# Export current GPO security settings to a file for review
Get-GPOReport -Name "Workstations-SecurityBaseline" `
    -ReportType HTML `
    -Path "C:ReportsWorkstationBaseline-Report.html"

Linking GPOs to Sites, Domains, and OUs

A GPO must be linked to a scope of management (SOM) before it applies to any objects. Use New-GPLink to create links:

# Link GPO to domain level (applies to all objects)
New-GPLink -Name "Domain-PasswordPolicy" `
    -Target "DC=contoso,DC=com" `
    -LinkEnabled Yes `
    -Enforced Yes `
    -Order 1

# Link GPO to an OU
New-GPLink -Name "Finance-PasswordPolicy" `
    -Target "OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -LinkEnabled Yes

# Modify an existing link (change order or enforcement)
Set-GPLink -Name "Finance-PasswordPolicy" `
    -Target "OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -Enforced Yes `
    -Order 1

Using GPO Security Filtering

By default, Authenticated Users have Read and Apply Group Policy permissions on a GPO, meaning it applies to all users and computers in the linked OU. Security filtering restricts which specific users, computers, or groups the GPO applies to:

# Remove Authenticated Users from GPO apply permissions
Set-GPPermissions -Name "Finance-PasswordPolicy" `
    -TargetName "Authenticated Users" `
    -TargetType Group `
    -PermissionLevel None

# Grant apply permission to a specific group only
Set-GPPermissions -Name "Finance-PasswordPolicy" `
    -TargetName "Finance-Users" `
    -TargetType Group `
    -PermissionLevel GpoApply

# Grant read permission to Authenticated Users (still needed for enumeration)
Set-GPPermissions -Name "Finance-PasswordPolicy" `
    -TargetName "Authenticated Users" `
    -TargetType Group `
    -PermissionLevel GpoRead

Managing GPO Inheritance

GPO inheritance flows down the OU hierarchy. Block Inheritance prevents GPOs linked higher in the hierarchy from applying to an OU. Enforce (No Override) forces a GPO to apply regardless of Block Inheritance settings on child OUs:

# Block GPO inheritance on a specific OU
Set-GPInheritance -Target "OU=Executive,OU=Contoso,DC=contoso,DC=com" `
    -IsBlocked Yes

# View inheritance for an OU including inherited GPOs
Get-GPInheritance -Target "OU=Finance,OU=Contoso,DC=contoso,DC=com" |
    Select-Object Path, GpoLinks, InheritedGpoLinks

Backing Up and Restoring GPOs

Regular GPO backups are essential. The Backup-GPO cmdlet exports GPO settings to a folder:

# Backup all GPOs to a folder
Backup-GPO -All -Path "C:GPOBackups$(Get-Date -Format 'yyyy-MM-dd')"

# Backup a specific GPO
Backup-GPO -Name "Finance-PasswordPolicy" -Path "C:GPOBackups"

# Restore a GPO from backup
Restore-GPO -Name "Finance-PasswordPolicy" -Path "C:GPOBackups"

# List available backups in a folder
Get-GPOBackup -All -Path "C:GPOBackups" |
    Select-Object DisplayName, BackupId, Timestamp

Troubleshooting GPO Application

The gpresult command and Resultant Set of Policy (RSoP) are the primary troubleshooting tools for GPO application issues:

# Generate RSoP report for current user and computer
gpresult /H C:Reportsgpresult.html /F

# Generate RSoP for a specific user on a specific computer
gpresult /S RemotePC01 /U contosojsmith /H C:Reportsjsmith-gpo.html /F

# View applied GPOs in summary format
gpresult /r

# Force immediate GPO refresh
Invoke-GPUpdate -Computer "WS-FIN-001" -Force

# Force GPO refresh on all computers in an OU
Get-ADComputer -SearchBase "OU=Computers,OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -Filter {Enabled -eq $true} |
    ForEach-Object { Invoke-GPUpdate -Computer $_.Name -Force }

Copying and Importing GPOs

GPOs can be copied within a domain or imported from a backup, which is useful for applying tested configurations from a lab to production:

# Copy a GPO within the same domain
Copy-GPO -SourceName "Finance-PasswordPolicy" `
    -TargetName "HR-PasswordPolicy"

# Import settings from a GPO backup into an existing GPO
Import-GPO -BackupGpoName "Finance-PasswordPolicy" `
    -Path "C:GPOBackups" `
    -TargetName "HR-PasswordPolicy"

Verifying GPO Configuration

# List all GPOs in the domain
Get-GPO -All | Select-Object DisplayName, GpoStatus, CreationTime, ModificationTime

# Get detailed report on a specific GPO
Get-GPOReport -Name "Finance-PasswordPolicy" -ReportType XML |
    Select-Xml -XPath "//q1:Name" -Namespace @{q1="http://www.microsoft.com/GroupPolicy/Settings"} |
    Select-Object -ExpandProperty Node

# Check GPO links
(Get-GPO -Name "Finance-PasswordPolicy").GetGPOLinks()

Summary

Group Policy Objects on Windows Server 2012 R2 provide a comprehensive mechanism for enforcing configuration and security standards across your domain. Use descriptive GPO names and document the purpose of each GPO. Follow the principle of least privilege when designing GPO scope using security filtering. Always back up GPOs before modifying them in production. Use gpresult and Invoke-GPUpdate for troubleshooting application issues. The GroupPolicy PowerShell module enables all aspects of GPO lifecycle management, from creation and configuration to backup and restoration, making it essential knowledge for any Windows Server administrator.