Introduction to Group Policy on Windows Server 2022

Group Policy is the primary mechanism for applying configuration settings, security baselines, and software deployments across computers and users in an Active Directory domain. A Group Policy Object (GPO) is a collection of settings that are applied to computer accounts (via the Computer Configuration node) or user accounts (via the User Configuration node) based on where those objects reside in the AD hierarchy. Windows Server 2022 includes the Group Policy Management Console (GPMC) as the central tool for creating, editing, linking, and troubleshooting GPOs, and the GroupPolicy PowerShell module for scripting and automation.

Opening Group Policy Management Console

GPMC is launched via gpmc.msc. Open it from the Run dialog, Server Manager Tools menu, or PowerShell:

Start-Process gpmc.msc

In GPMC you will see your forest, domains, sites, and a Group Policy Objects container that lists all GPOs. Each domain also has a Linked Group Policy Objects view under each OU showing which GPOs are linked there. To use PowerShell for GPO management, import the GroupPolicy module:

Import-Module GroupPolicy

Creating and Linking GPOs with PowerShell

New-GPO creates a new GPO in the domain. Creating a GPO does not apply it anywhere — it must be linked to a site, domain, or OU using New-GPLink:

# Create a new GPO
New-GPO -Name "Server Security Baseline" -Comment "CIS-aligned security settings for member servers"

# Link the GPO to an OU (LinkEnabled defaults to Yes)
New-GPLink `
  -Name "Server Security Baseline" `
  -Target "OU=Servers,DC=corp,DC=example,DC=com" `
  -LinkEnabled Yes `
  -Enforced No

# Link to the domain root (applies to all objects in the domain)
New-GPLink -Name "Server Security Baseline" -Target "DC=corp,DC=example,DC=com"

# List all GPOs in the domain
Get-GPO -All | Select-Object DisplayName, Id, GpoStatus, CreationTime

The -Enforced parameter on New-GPLink sets the GPO link to Enforced (also called No Override in older terminology), which prevents child OUs from blocking the GPO’s settings. This is useful for enforcing domain-wide security policies that must not be circumvented by local OU administrators.

GPO Precedence: LSDOU Order

When multiple GPOs are linked at different levels of the AD hierarchy, they are applied in a specific order, with later applications winning (except for Enforced links). The order is remembered by the acronym LSDOU:

Local — The local Group Policy on the computer itself (gpedit.msc). Applied first, therefore lowest precedence.

Site — GPOs linked to the AD site the computer belongs to.

Domain — GPOs linked to the domain root.

OU — GPOs linked to the OUs, from parent to child. The most specific OU (closest to the object) wins. Applied last, therefore highest precedence.

Within a single link level (e.g., multiple GPOs linked to the same OU), precedence is determined by link order — lower link order number means higher precedence. In GPMC, you can drag GPOs within a container to change their order. GPOs with Enforced links override child settings regardless of LSDOU order.

Computer Configuration vs User Configuration

Each GPO has two main nodes: Computer Configuration and User Configuration. Settings under Computer Configuration are applied to the computer account when the machine starts up (regardless of which user logs on). Settings under User Configuration are applied to the user account when the user logs on (regardless of which machine they log on to).

Common Computer Configuration settings include: password policies, account lockout policies, audit policies, Windows Firewall settings, service startup configurations, registry settings, drive mappings for all users, and software installation.

Common User Configuration settings include: Internet Explorer/Edge proxy settings, folder redirection (Desktop, Documents, AppData), mapped drives specific to the user, logon/logoff scripts, and Start Menu configuration.

You can disable the unused half of a GPO to improve processing performance. For example, if a GPO only has Computer Configuration settings, disable the User Configuration half:

Set-GPO -Name "Server Security Baseline" -GpoStatus UserSettingsDisabled

GPO Filtering: Security and WMI Filters

By default, a linked GPO applies to all authenticated users and computer accounts within the linked container. GPO filtering allows you to restrict which objects a GPO applies to:

Security Filtering — GPOs apply only to objects that have both Read and Apply Group Policy allow permissions. Remove Authenticated Users and add a specific security group to target only members of that group. This is done on the Scope tab of the GPO in GPMC:

# Remove the default "Authenticated Users" from security filtering
Set-GPPermission -Name "Server Security Baseline" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group

# Add a specific group (they need Read + Apply Group Policy)
Set-GPPermission -Name "Server Security Baseline" -PermissionLevel GpoApply -TargetName "Servers-Group" -TargetType Group

WMI Filters — Windows Management Instrumentation filters evaluate a WQL query on the target computer. If the query returns true, the GPO applies; if false, the GPO is skipped. WMI filters are useful for targeting specific OS versions, hardware configurations, or installed software. Create and link WMI filters in GPMC under the WMI Filters node. Example WQL for Windows Server 2022 only:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.2%" AND ProductType = "3"

ProductType 3 is a Server (not a workstation), and the version 10.0.2x pattern matches Windows Server 2022 (build 20348).

Applying and Testing GPO Changes

Group Policy is applied automatically at startup/logon and at a background refresh interval (every 90-120 minutes by default for non-DCs). Force an immediate refresh:

# Force refresh on local machine
gpupdate /force

# Force refresh on a remote computer
Invoke-GPUpdate -Computer "SERVER01" -Force -RandomDelayInMinutes 0

# Refresh only Computer Configuration
gpupdate /target:computer /force

# Refresh only User Configuration
gpupdate /target:user /force

After a forced refresh, verify which GPOs are actually applied using gpresult. The /h flag generates an HTML report:

# Generate HTML report for the current computer/user
gpresult /h C:TempGPReport.html /f

# Generate report for a specific user on the local machine
gpresult /h C:TempGPReport_jsmith.html /user CORPjsmith /f

# Quick console view of applied GPOs
gpresult /r

# Verbose output including all settings
gpresult /v

The HTML report shows Applied GPOs, Denied GPOs (and why they were denied), RSOP (Resultant Set of Policy), and any errors encountered during processing.

Starter GPOs

Starter GPOs are templates that provide a baseline set of Administrative Template settings. When you create a new GPO from a Starter GPO, it inherits those baseline settings which can then be customized. This ensures consistency across similar policy objects and saves time when creating many GPOs with a common baseline.

Create a Starter GPO in GPMC by expanding the Starter GPOs container and clicking New. Once populated, use it as a base for new GPOs:

# Create a new GPO based on a Starter GPO
New-GPO -Name "Web Server Policy" -StarterGPOName "Windows Server Security Starter"

Microsoft provides pre-built Starter GPOs for Windows Server environments. You can import them from the Starter GPOs container in GPMC by clicking “Load Cabinet” and importing the .cab file from the Microsoft Security Compliance Toolkit.

Backing Up and Restoring GPOs

GPO backups capture the complete state of a GPO including all settings, security filtering, and WMI filter links. Back up before making significant changes:

# Backup a single GPO
Backup-GPO -Name "Server Security Baseline" -Path "C:GPO_Backups" -Comment "Pre-change backup $(Get-Date -Format 'yyyy-MM-dd')"

# Backup ALL GPOs in the domain
Backup-GPO -All -Path "C:GPO_Backups"

# List available backups in a folder
Get-GPOBackup -Path "C:GPO_Backups" | Select-Object DisplayName, BackupId, Timestamp, Comment

# Restore a GPO from backup
Restore-GPO -Name "Server Security Baseline" -Path "C:GPO_Backups"

# Restore a GPO from a specific backup (if multiple exist)
Restore-GPO -BackupId "GUID-HERE" -Path "C:GPO_Backups"

Common Security Settings to Configure via GPO

The following PowerShell commands set specific GPO registry-based settings using Set-GPRegistryValue. These target the Computer Configuration > Windows Settings > Security Settings path equivalents via registry:

# Disable SMBv1 via GPO registry setting
Set-GPRegistryValue `
  -Name "Server Security Baseline" `
  -Key "HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters" `
  -ValueName "SMB1" `
  -Type DWord `
  -Value 0

# Set maximum password age (via Security Settings, not registry for accounts)
# For account policies use the Default Domain Policy
$gpo = Get-GPO -Name "Default Domain Policy"

# Enable NTLMv2 and disable older NTLM via LmCompatibilityLevel
Set-GPRegistryValue `
  -Name "Server Security Baseline" `
  -Key "HKLMSYSTEMCurrentControlSetControlLsa" `
  -ValueName "LmCompatibilityLevel" `
  -Type DWord `
  -Value 5

# Disable automatic administrative shares (comment out if needed for management tools)
Set-GPRegistryValue `
  -Name "Server Security Baseline" `
  -Key "HKLMSYSTEMCurrentControlSetServicesLanmanServerParameters" `
  -ValueName "AutoShareServer" `
  -Type DWord `
  -Value 0

For account policies (password complexity, lockout thresholds), these must be configured in the Default Domain Policy GPO at the domain root level — account policies applied at OU level only affect local accounts on those computers, not domain accounts. Set them under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies in the GPME (Group Policy Management Editor, opened with gpedit.msc or from GPMC).