How to Configure Group Policy Objects (GPO) on Windows Server 2025
Group Policy is the primary mechanism for enforcing configuration standards across a Windows Active Directory environment. Through Group Policy Objects (GPOs), administrators can control security settings, software deployment, logon scripts, browser configuration, firewall rules, and hundreds of other parameters — all applied automatically to users and computers based on their location in Active Directory. Windows Server 2025 includes a mature Group Policy infrastructure with support for the latest ADMX templates, enhanced security baselines, and the PowerShell-based GroupPolicy module for automation. This tutorial walks through creating, linking, editing, filtering, and troubleshooting GPOs from both the graphical console and the command line.
Prerequisites
- An Active Directory domain with at least one domain controller running Windows Server 2025
- Group Policy Management Console (GPMC) — installed via RSAT or
Install-WindowsFeature GPMC - The
GroupPolicyPowerShell module (included with GPMC) - Domain Admin or delegated Group Policy management permissions
- Client machines joined to the domain for testing policy application
# Install GPMC on a domain controller or member server
Install-WindowsFeature -Name GPMC -IncludeManagementTools
# Import the GroupPolicy module
Import-Module GroupPolicy
# Open the GPMC GUI
gpmc.msc
Step 1: Create a New Group Policy Object
GPOs can be created in the GPMC GUI or via PowerShell. A newly created GPO is unlinked — it has no effect until it is linked to a site, domain, or OU. Keeping GPO creation and linking as separate steps lets you review and test the policy before it applies to production systems.
# Create a new GPO in the domain (unlinked)
New-GPO -Name "SEC-Baseline-Workstations" `
-Comment "CIS-aligned security baseline for domain workstations" `
-Domain "corp.example.com"
# Create another GPO for user desktop restrictions
New-GPO -Name "USR-Desktop-Restrictions" `
-Comment "Restricts access to Control Panel and drives" `
-Domain "corp.example.com"
# List all GPOs in the domain
Get-GPO -All | Select-Object DisplayName, GpoStatus, CreationTime | Sort-Object DisplayName
Step 2: Link a GPO to an Organizational Unit
Linking a GPO to an OU makes it apply to all users and computers within that container (and child containers, unless inheritance is blocked). The -Order parameter controls which GPO takes precedence when multiple GPOs are linked to the same OU — lower numbers have higher priority.
# Link the security baseline GPO to the Workstations OU
New-GPLink `
-Name "SEC-Baseline-Workstations" `
-Target "OU=Workstations,DC=corp,DC=example,DC=com" `
-Order 1 `
-Enforced No `
-LinkEnabled Yes
# Link the user restrictions GPO to the standard users OU
New-GPLink `
-Name "USR-Desktop-Restrictions" `
-Target "OU=CorpUsers,DC=corp,DC=example,DC=com" `
-Order 1 `
-Enforced No `
-LinkEnabled Yes
# Verify links
Get-GPInheritance -Target "OU=Workstations,DC=corp,DC=example,DC=com"
Step 3: Edit GPO Settings
GPO settings are organized into two main branches: Computer Configuration (applies when the computer object is processed at startup) and User Configuration (applies when the user logs on). Each branch is further divided into Policies (traditional registry-based and security settings) and Preferences (flexible, targeting-aware settings that can install shortcuts, map drives, and configure printers).
You can edit GPOs graphically by opening the GPMC, right-clicking a GPO, and selecting Edit. Common settings paths in the editor:
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies— password and lockout policiesComputer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Firewall— firewall rulesUser Configuration > Policies > Administrative Templates > Control Panel— restrict Control Panel accessUser Configuration > Preferences > Windows Settings > Drive Maps— map network drives on logon
To configure settings programmatically, use the Set-GPRegistryValue cmdlet for registry-based (ADMX) policies:
# Disable access to the Control Panel for users (User Configuration > Admin Templates)
Set-GPRegistryValue `
-Name "USR-Desktop-Restrictions" `
-Key "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer" `
-ValueName "NoControlPanel" `
-Type DWord `
-Value 1
# Set minimum password length via Computer Configuration (Security Settings)
# Note: Account policies are best set via GPMC GUI or secedit templates
# For registry-equivalent Admin Template settings:
Set-GPRegistryValue `
-Name "SEC-Baseline-Workstations" `
-Key "HKLMSoftwarePoliciesMicrosoftWindows NTDNSClient" `
-ValueName "SearchList" `
-Type String `
-Value "corp.example.com"
Step 4: Apply Security Filtering
By default, a GPO applies to the Authenticated Users security group — meaning every user and computer in the linked OU receives it. Security filtering lets you scope a GPO to specific groups, removing Authenticated Users and adding only the intended targets.
# Remove the default Authenticated Users permission from a GPO
Set-GPPermission `
-Name "SEC-Baseline-Workstations" `
-PermissionLevel None `
-TargetName "Authenticated Users" `
-TargetType Group
# Grant Apply permission only to the target security group
Set-GPPermission `
-Name "SEC-Baseline-Workstations" `
-PermissionLevel GpoApply `
-TargetName "GRP-Workstation-Computers" `
-TargetType Group
# IMPORTANT: Also add Read permission for Domain Computers so the GPO is readable
Set-GPPermission `
-Name "SEC-Baseline-Workstations" `
-PermissionLevel GpoRead `
-TargetName "Domain Computers" `
-TargetType Group
# Verify permissions
Get-GPPermission -Name "SEC-Baseline-Workstations" -All
Step 5: Create and Apply WMI Filters
WMI filters let you conditionally apply a GPO based on properties of the target computer — for example, operating system version, disk space, or hardware manufacturer. A GPO linked with a WMI filter only applies if the filter query returns true on the target machine.
# Create a WMI filter that targets only Windows 11 workstations
$WMIFilterQuery = @"
SELECT * FROM Win32_OperatingSystem
WHERE Version LIKE "10.0%" AND ProductType = "1"
"@
# WMI filters must be created via the GPMC GUI or ADSI edit
# The PowerShell approach uses the GPMC COM object:
$GPMC = New-Object -ComObject GPMgmt.GPM
$Constants = $GPMC.GetConstants()
$Domain = $GPMC.GetDomain("corp.example.com", "", $Constants.UseAnyDC)
$WMIFilter = $Domain.CreateWMIFilter()
$WMIFilter.Name = "WMI-Windows11-Workstations"
$WMIFilter.Description = "Applies only to Windows 11 machines"
$WMIFilter.AddQuery("rootCIMv2", $WMIFilterQuery)
$WMIFilter.Save()
Write-Host "WMI filter created: $($WMIFilter.Name)"
Step 6: Force Policy Refresh and Generate Reports
After making changes to a GPO, client machines receive the updated policy at the next refresh interval (every 90 minutes by default, with a random 30-minute offset). You can force an immediate refresh on a remote machine using Invoke-GPUpdate, or run gpupdate /force locally on the client.
# Force a Group Policy refresh on a remote computer
Invoke-GPUpdate -Computer "DESKTOP01.corp.example.com" -Force
# Force refresh on all computers in an OU
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=corp,DC=example,DC=com"
$Computers | ForEach-Object {
Invoke-GPUpdate -Computer $_.DNSHostName -Force -ErrorAction SilentlyContinue
}
# Generate an HTML Group Policy Results report for a specific user and computer
Get-GPResultantSetOfPolicy `
-Computer "DESKTOP01.corp.example.com" `
-User "corpjsmith" `
-ReportType Html `
-Path "C:Reportsgpresult-jsmith.html"
# Alternatively, run on the client machine directly
gpresult /h C:Reportsgpresult-local.html /f
gpresult /r # Quick console summary
Step 7: Troubleshoot with RSOP and Event Logs
When a policy is not applying as expected, the Resultant Set of Policy (RSoP) tool and the Group Policy operational log are the primary diagnostic resources.
# Open the RSoP GUI for the local machine (shows effective policies)
rsop.msc
# Review Group Policy event logs on the client
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" -MaxEvents 50 |
Where-Object { $_.LevelDisplayName -in "Error", "Warning" } |
Select-Object TimeCreated, LevelDisplayName, Message
# Check which GPOs were applied and which were filtered
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" |
Where-Object { $_.Id -in 4016, 4017, 5016, 5017 } |
Select-Object TimeCreated, Id, Message -First 20
Step 8: Deploy the ADMX Central Store
By default, each DC stores its own ADMX template files locally. A Central Store eliminates version inconsistencies by hosting all templates in SYSVOL, making them available to all DCs and admin workstations.
# Create the Central Store directory structure in SYSVOL
$CentralStore = "\corp.example.comSYSVOLcorp.example.comPoliciesPolicyDefinitions"
New-Item -Path $CentralStore -ItemType Directory -Force
# Copy ADMX and ADML files from a Windows Server 2025 DC
$SourceADMX = "C:WindowsPolicyDefinitions"
Copy-Item -Path "$SourceADMX*.admx" -Destination $CentralStore -Force
Copy-Item -Path "$SourceADMXen-US" -Destination $CentralStore -Recurse -Force
# Verify the Central Store is recognized (GPMC will show "PolicyDefinitions" in SYSVOL)
Get-ChildItem $CentralStore | Measure-Object
Step 9: Starter GPOs and Loopback Processing
Starter GPOs are templates that capture a baseline set of Administrative Template settings, making it easy to provision new GPOs with consistent defaults. Group Policy Loopback Processing is a specialized setting for kiosk and terminal server scenarios where the computer’s location should determine which user policies apply — rather than the user’s OU location.
# Create a Starter GPO from an existing GPO's admin template settings
New-GPO -Name "STARTER-SecurityBaseline" -StarterGpoName "Windows Server 2025 - Domain Security"
# Create a new GPO based on the starter template
$NewGPO = New-GPO -Name "SEC-DeptA-Baseline" -StarterGpoName "STARTER-SecurityBaseline"
# Enable Loopback Processing in Merge mode for terminal servers
# (Computer Config > Admin Templates > System > Group Policy > Loopback Processing)
Set-GPRegistryValue `
-Name "SEC-TerminalServer-Loopback" `
-Key "HKLMSoftwarePoliciesMicrosoftWindowsSystem" `
-ValueName "UserPolicyMode" `
-Type DWord `
-Value 1 # 1 = Merge, 2 = Replace
Conclusion
Group Policy Objects on Windows Server 2025 provide a powerful, centralized mechanism for governing the configuration and security posture of every machine and user account in your domain. You have learned how to create and link GPOs, configure both Computer and User settings, scope application through security and WMI filters, force policy refresh, generate diagnostic reports, and extend the template library with a Central Store for ADMX files. As a best practice, always test new GPOs in a non-production OU before rolling them out broadly, use the gpresult and RSoP tools to validate the outcome, and maintain a change log so you can quickly identify which GPO change caused an unexpected behavior.
