How to Configure Windows Server 2016 Group Policy Objects
Group Policy Objects (GPOs) are one of the most powerful administrative tools in Windows Server 2016. A GPO is a collection of settings that define how a system behaves for users and computers. GPOs can enforce security policies, deploy software, configure user environments, manage Windows Firewall, and much more. They apply to Active Directory sites, domains, and Organizational Units, and are managed primarily through the Group Policy Management Console (GPMC).
Installing Group Policy Management Console
On a Domain Controller, GPMC is typically installed by default when the AD DS role is configured. On other servers or management workstations, install it using Server Manager or PowerShell:
Install-WindowsFeature -Name GPMCOn Windows 10 with RSAT installed, enable the feature:
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0Creating a New Group Policy Object
Open GPMC by running gpmc.msc. In the left pane, expand your forest and domain. Right-click Group Policy Objects and select New. Enter a descriptive name for the GPO. It is best practice to name GPOs by their function and scope, such as “Corp_Workstation_Security” or “IT_PowerShell_Execution”. Click OK to create the GPO. At this point the GPO exists but is not linked to any container and has no settings configured.
New-GPO -Name "Corp_Workstation_Security" -Comment "Security baseline for workstations"Editing a Group Policy Object
Right-click the GPO and select Edit to open the Group Policy Management Editor. The editor presents two main sections: Computer Configuration and User Configuration. Under each you will find Policies (which enforces settings) and Preferences (which configures but does not lock settings). Policies are further divided into Software Settings, Windows Settings (including Security Settings and Scripts), and Administrative Templates. Administrative Templates provide thousands of registry-based settings covering every aspect of the Windows environment.
For example, to configure the minimum password length policy, navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password PolicyLinking a GPO to a Container
Creating a GPO does not apply it — you must link it to a site, domain, or OU. In GPMC, right-click the target domain or OU and select Link an Existing GPO. Select the GPO from the list and click OK. The GPO will now apply to all objects within that container that match its Computer or User Configuration settings.
New-GPLink -Name "Corp_Workstation_Security" -Target "OU=Workstations,DC=corp,DC=local" -LinkEnabled YesGPO Processing Order and Precedence
GPOs are processed in a specific order, which is important when multiple GPOs apply to the same object. The processing order (from lowest to highest precedence) is: Local Group Policy, Site GPOs, Domain GPOs, OU GPOs (parent to child). Within each level, GPOs are processed in the order listed in GPMC, with the GPO at the top of the list having the lowest precedence and the one at the bottom having the highest. This is known as LSDOU order.
Conflicting settings are resolved by the last writer winning — the GPO with the highest precedence overrides conflicting settings from lower-precedence GPOs. Non-conflicting settings from multiple GPOs are cumulative.
GPO Inheritance and Blocking
By default, GPOs linked at a parent OU are inherited by child OUs. You can block inheritance on an OU to prevent parent GPOs from applying. Right-click the OU in GPMC and select Block Inheritance. This prevents all GPOs linked above from flowing down. However, an Enforced (previously called No Override) GPO ignores block inheritance — enforced GPOs always apply regardless of inheritance blocking.
Set-GPInheritance -Target "OU=Quarantine,DC=corp,DC=local" -IsBlocked YesSecurity Filtering
By default, every GPO applies to the Authenticated Users group. Security filtering allows you to restrict GPO application to specific users, computers, or groups. In GPMC, select the GPO link under an OU (not the GPO in the Group Policy Objects folder), and in the right pane look at the Security Filtering section. Remove Authenticated Users and add the specific group you want to target. This is useful for applying different policies to different sets of computers within the same OU.
Set-GPPermissions -Name "Corp_Workstation_Security" -PermissionLevel GpoApply -TargetName "Domain Computers" -TargetType Group
Set-GPPermissions -Name "Corp_Workstation_Security" -PermissionLevel None -TargetName "Authenticated Users" -TargetType GroupWMI Filtering
WMI filters allow GPO application to be conditioned on WMI queries. For example, you can apply a GPO only to computers running Windows 10 or only to laptops. Create a WMI filter in GPMC under the WMI Filters container, write a WQL query, then link it to the GPO in the GPO Properties dialog. Note that WMI filters only affect Computer Configuration settings and do not work on Windows 2000 clients.
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0%" AND ProductType = "1"Forcing and Refreshing Group Policy
GPOs are refreshed automatically every 90 minutes for workstations (with a 30-minute randomized offset) and every 5 minutes for Domain Controllers. To force an immediate refresh, use gpupdate on the target machine:
gpupdate /forceTo remotely force a GP refresh on multiple machines using PowerShell and GPMC:
Invoke-GPUpdate -Computer "DESK-001" -Force -RandomDelayInMinutes 0Backing Up and Restoring GPOs
Regularly back up GPOs to protect against accidental changes or deletion:
Backup-GPO -All -Path "C:GPOBackups" -Comment "Weekly backup $(Get-Date -Format yyyy-MM-dd)"To restore a specific GPO from backup:
Restore-GPO -Name "Corp_Workstation_Security" -Path "C:GPOBackups"Troubleshooting GPO Application
Use the Resultant Set of Policy (RSoP) tool or gpresult to diagnose which GPOs are applying and why. On the target machine, run:
gpresult /h C:gpreport.html /fThis generates an HTML report showing applied GPOs, denied GPOs, and any errors. In GPMC, you can also run the Group Policy Results and Group Policy Modeling wizards to simulate and diagnose policy application for specific users and computers.
Best Practices
Never edit the Default Domain Policy or Default Domain Controllers Policy directly; instead create new GPOs for custom settings. Use descriptive names and populate the Comment field to document the purpose of each GPO. Test new GPOs on a pilot OU before broad deployment. Use security filtering to limit scope rather than creating duplicate OUs. Back up all GPOs before making significant changes. Keep GPOs focused — one GPO per policy area is easier to manage than large monolithic GPOs that handle everything.
Group Policy Objects are a cornerstone of Windows Server administration. A disciplined approach to creating, linking, and maintaining GPOs significantly reduces administrative overhead and improves the security posture of your environment.
