How to Configure Group Policy on Windows Server 2019

Group Policy is the primary mechanism for centrally managing configuration settings for users and computers in an Active Directory environment. Group Policy Objects (GPOs) contain hundreds of settings that control security policies, software installation, logon scripts, desktop configuration, folder redirection, and more. Windows Server 2019 includes significant improvements to Group Policy including support for fine-grained password policies in the GUI and Central Store management for ADMX templates.

Group Policy Infrastructure

Group Policy is stored in two locations. The Group Policy Container (GPC) is stored in Active Directory and contains version information and attributes. The Group Policy Template (GPT) is stored in SYSVOL on domain controllers as a set of files. When a client processes Group Policy, it reads from SYSVOL. For consistent policy processing, ensure DFS Replication keeps SYSVOL synchronized across all domain controllers.

# Install Group Policy Management Console
Install-WindowsFeature -Name GPMC

# Import the Group Policy module
Import-Module GroupPolicy

# List all GPOs in the domain
Get-GPO -All | Select-Object DisplayName, GpoStatus, CreationTime | Sort-Object DisplayName

Creating and Linking Group Policy Objects

Create GPOs at the domain level and link them to specific OUs. The link order determines processing sequence when multiple GPOs are linked to the same container — lower link order numbers process last and take precedence:

# Create a new GPO
New-GPO -Name "Server Security Baseline" `
    -Comment "CIS Level 1 security baseline for member servers"

# Create a GPO and link it to an OU in one step
New-GPO -Name "Workstation Configuration" | `
    New-GPLink -Target "OU=Workstations,DC=corp,DC=example,DC=com" `
    -LinkEnabled Yes

# Link an existing GPO to an OU
New-GPLink -Name "Server Security Baseline" `
    -Target "OU=Servers,DC=corp,DC=example,DC=com" `
    -LinkEnabled Yes `
    -Order 1

# View all links for a GPO
Get-GPOReport -Name "Server Security Baseline" -ReportType HTML -Path "C:ReportsServerBaseline.html"

Configuring Security Settings via GPO

Use the Set-GPRegistryValue cmdlet to configure registry-based policy settings programmatically. For security templates, use the Import-GPO cmdlet or the Security Configuration Wizard:

# Configure password policy via GPO (Default Domain Policy)
# Note: Password policies for domain accounts must be in the Default Domain Policy
# or a Fine-Grained Password Policy PSO

# Use secedit for security template application
secedit /analyze /db C:Windowssecuritydatabasesecedit.sdb /cfg C:baseline.inf /log C:secedit.log

# Apply a security template
secedit /configure /db C:Windowssecuritydatabasesecedit.sdb /cfg C:baseline.inf /areas SECURITYPOLICY PRIVILEGES

# Set a registry-based policy value in a GPO
# Disable autorun/autoplay
Set-GPRegistryValue `
    -Name "Workstation Configuration" `
    -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer" `
    -ValueName "NoDriveTypeAutoRun" `
    -Type DWord `
    -Value 0xFF

# Disable Windows Script Host (WSH)
Set-GPRegistryValue `
    -Name "Workstation Configuration" `
    -Key "HKLMSOFTWAREMicrosoftWindows Script HostSettings" `
    -ValueName "Enabled" `
    -Type DWord `
    -Value 0

# Configure UAC settings
Set-GPRegistryValue `
    -Name "Server Security Baseline" `
    -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" `
    -ValueName "EnableLUA" `
    -Type DWord `
    -Value 1

Configuring Software Restriction Policies and AppLocker

AppLocker (available in Windows Server 2019) provides application whitelisting, allowing only approved applications to run. This is a powerful defense against malware and unauthorized software:

# Create AppLocker policy via GPO
# First, generate default rules to allow Windows OS and Program Files
# (Do this via Group Policy Management Editor GUI or use PowerShell)

# Get the current AppLocker policy (run on a reference machine)
$policy = Get-AppLockerPolicy -Effective

# Export AppLocker policy to XML for importing into a GPO
Get-AppLockerPolicy -Effective | Set-AppLockerPolicy -LDAP "LDAP://CN={GPO-GUID},CN=Policies,CN=System,DC=corp,DC=example,DC=com"

# Create a new AppLocker rule for executable files
$exe_rule = New-AppLockerPolicy `
    -RuleType Publisher `
    -User Everyone `
    -FileInformation (Get-AppLockerFileInformation -Directory "C:WindowsSystem32" -FileType Exe -Recurse) `
    -RuleName "Allow Windows System32"

Configuring Folder Redirection

Folder Redirection moves user profile folders (Documents, Desktop, AppData) from the local machine to a network share. This ensures data is backed up, available from any workstation, and not lost if the local machine fails:

# Configure Folder Redirection via GPO registry values
# User Configuration > Policies > Windows Settings > Folder Redirection

# The GPO setting paths for folder redirection:
# User Config > Windows Settings > Folder Redirection > Documents
# Set target to: \fs01.corp.example.comredirected%USERNAME%Documents

# Using PowerShell to set folder redirection in a GPO:
Set-GPRegistryValue `
    -Name "User Configuration Policy" `
    -Key "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders" `
    -ValueName "Personal" `
    -Type ExpandString `
    -Value "\fs01.corp.example.comredirected%USERNAME%Documents"

Set-GPRegistryValue `
    -Name "User Configuration Policy" `
    -Key "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders" `
    -ValueName "Desktop" `
    -Type ExpandString `
    -Value "\fs01.corp.example.comredirected%USERNAME%Desktop"

Configuring Logon and Startup Scripts

Group Policy can run scripts at computer startup/shutdown and at user logon/logoff. PowerShell scripts are fully supported:

# Add a PowerShell startup script to a GPO
# Place the script in the GPO's ScriptsStartup folder in SYSVOL
$GPO = Get-GPO -Name "Server Security Baseline"
$SysvolPath = "\$($GPO.DomainName)SYSVOL$($GPO.DomainName)Policies{$($GPO.Id)}MachineScriptsStartup"

New-Item -Path $SysvolPath -ItemType Directory -Force
Copy-Item "C:ScriptsServerStartup.ps1" -Destination $SysvolPath

# Register the script in the GPO
Set-GPRegistryValue `
    -Name "Server Security Baseline" `
    -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyScriptsStartup" `
    -ValueName "Script" `
    -Type String `
    -Value "ServerStartup.ps1"

Set-GPRegistryValue `
    -Name "Server Security Baseline" `
    -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyScriptsStartup" `
    -ValueName "Parameters" `
    -Type String `
    -Value ""

Managing the Central Store for ADMX Templates

The Central Store is a repository in SYSVOL for ADMX administrative template files. When the Central Store exists, Group Policy Management Editor reads from it instead of local ADMX files, ensuring consistent policy templates across all machines:

# Create the Central Store
$CentralStorePath = "\$($env:USERDNSDOMAIN)SYSVOL$($env:USERDNSDOMAIN)PoliciesPolicyDefinitions"
New-Item -Path $CentralStorePath -ItemType Directory -Force

# Copy ADMX files from Windows Server 2019 to the Central Store
Copy-Item "C:WindowsPolicyDefinitions*.admx" -Destination $CentralStorePath
Copy-Item "C:WindowsPolicyDefinitionsen-US" -Destination $CentralStorePath -Recurse

# Import third-party ADMX templates (e.g., Chrome, Office)
# Download from vendor and copy to Central Store
Copy-Item "C:Downloadschrome.admx" -Destination $CentralStorePath
Copy-Item "C:Downloadsen-USchrome.adml" -Destination "$CentralStorePathen-US"

Troubleshooting Group Policy

Group Policy troubleshooting tools help diagnose why policies are or are not applying correctly:

# Force Group Policy update on local machine
gpupdate /force

# Force Group Policy update on a remote computer
Invoke-GPUpdate -Computer "workstation01" -Force -RandomDelayInMinutes 0

# Generate a Group Policy Results report for a specific user on a computer
Get-GPResultantSetOfPolicy -ReportType HTML -Path "C:ReportsGPResult-jdoe.html" `
    -Computer "workstation01" -User "corpjdoe"

# Command-line RSOP report
gpresult /H "C:ReportsGPResult.html" /F

# Show applied GPOs summary
gpresult /R

# Check Group Policy event logs for processing errors
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" `
    -MaxEvents 50 | Where-Object {$_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning"}

# Check GPO replication status
Get-GPO -All | ForEach-Object {
    $gpo = $_
    [PSCustomObject]@{
        Name = $gpo.DisplayName
        DSVersion = $gpo.User.DSVersion
        SysvolVersion = $gpo.User.SysvolVersion
        InSync = ($gpo.User.DSVersion -eq $gpo.User.SysvolVersion)
    }
}

Group Policy is one of the most powerful tools in the Windows Server administrator’s toolkit. Use it consistently to enforce security baselines across all managed systems, deploy software, and maintain configuration consistency. Always test GPO changes in a staging environment with a limited set of test machines before deploying broadly to avoid impacting production users and systems.