How to Configure Group Policy on Windows Server 2012 R2
Group Policy is the primary mechanism for centrally managing the configuration of users and computers in an Active Directory environment. Through Group Policy Objects (GPOs), administrators can enforce security settings, deploy software, configure Windows components, map drives, set desktop wallpaper, restrict access to Control Panel, configure Windows Firewall, and much more — all from a central management console without touching individual machines. Windows Server 2012 R2 includes Group Policy Management Console (GPMC), the Resultant Set of Policy (RSoP) tools, and PowerShell cmdlets for full scripted management.
This guide covers the complete Group Policy workflow: creating and linking GPOs, managing settings, configuring security filtering, troubleshooting policy application, and best practices for a maintainable GPO structure.
Prerequisites
- Active Directory Domain Services deployed.
- Domain Administrator account (or delegated GPO management rights).
- Group Policy Management Console installed (included with Remote Server Administration Tools).
- Client computers joined to the domain for testing policy application.
Step 1: Install Group Policy Management Tools
# Install GPMC and Remote Server Administration Tools
Install-WindowsFeature -Name GPMC -IncludeManagementTools
# Verify installation
Get-WindowsFeature -Name GPMC | Select-Object Name, InstallState
# Import the GroupPolicy PowerShell module
Import-Module GroupPolicy
# List all GPOs in the domain
Get-GPO -All | Select-Object DisplayName, GpoStatus, ModificationTime | Sort-Object DisplayNameStep 2: Create and Link a GPO
# Create a new GPO
New-GPO -Name "Workstation Security Baseline" `
-Comment "Applies security baseline settings to all workstations"
# Link the GPO to an Organisational Unit
New-GPLink `
-Name "Workstation Security Baseline" `
-Target "OU=Workstations,OU=Corp,DC=corp,DC=example,DC=com" `
-LinkEnabled Yes `
-Enforced No
# Create and link in one step
New-GPO -Name "Server Hardening Policy" |
New-GPLink -Target "OU=Servers,OU=Corp,DC=corp,DC=example,DC=com"
# Link the same GPO to multiple OUs
New-GPLink -Name "Workstation Security Baseline" `
-Target "OU=Remote-Workers,OU=Corp,DC=corp,DC=example,DC=com"
# List all GPO links on an OU
Get-GPInheritance -Target "OU=Workstations,OU=Corp,DC=corp,DC=example,DC=com"Step 3: Configure Common Security Settings via PowerShell
The Set-GPRegistryValue cmdlet lets you configure any registry-based policy setting. Most Computer and User configuration settings map to registry keys.
# Set the screen saver timeout to 15 minutes (900 seconds)
Set-GPRegistryValue `
-Name "Workstation Security Baseline" `
-Key "HKCUSoftwarePoliciesMicrosoftWindowsControl PanelDesktop" `
-ValueName "ScreenSaveTimeOut" `
-Type String `
-Value "900"
# Require screen saver password
Set-GPRegistryValue `
-Name "Workstation Security Baseline" `
-Key "HKCUSoftwarePoliciesMicrosoftWindowsControl PanelDesktop" `
-ValueName "ScreenSaverIsSecure" `
-Type String `
-Value "1"
# Disable autorun/autoplay on all drives
Set-GPRegistryValue `
-Name "Workstation Security Baseline" `
-Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer" `
-ValueName "NoDriveTypeAutoRun" `
-Type DWord `
-Value 255
# Disable the Guest account via registry policy
Set-GPRegistryValue `
-Name "Workstation Security Baseline" `
-Key "HKLMSYSTEMCurrentControlSetControlLsa" `
-ValueName "LimitBlankPasswordUse" `
-Type DWord `
-Value 1
# Set Windows Update to use WSUS server
Set-GPRegistryValue `
-Name "Workstation Security Baseline" `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" `
-ValueName "WUServer" `
-Type String `
-Value "http://WSUS-SRV:8530"
Set-GPRegistryValue `
-Name "Workstation Security Baseline" `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate" `
-ValueName "WUStatusServer" `
-Type String `
-Value "http://WSUS-SRV:8530"
Set-GPRegistryValue `
-Name "Workstation Security Baseline" `
-Key "HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU" `
-ValueName "UseWUServer" `
-Type DWord `
-Value 1Step 4: Configure Security Filtering
By default, GPOs apply to all Authenticated Users in the linked OU. Security filtering restricts GPO application to specific groups — enabling you to create role-specific policies in the same OU structure.
# Remove the default "Authenticated Users" from a GPO's security filter
Set-GPPermissions `
-Name "Server Hardening Policy" `
-TargetName "Authenticated Users" `
-TargetType Group `
-PermissionLevel GpoRead
# NOTE: The above gives only Read (not Apply Group Policy), which removes application
# You must also set Read separately if removing Apply
# Add a specific group to the GPO's security filter
Set-GPPermissions `
-Name "Server Hardening Policy" `
-TargetName "IT-Server-Admins" `
-TargetType Group `
-PermissionLevel GpoApply
# View current security permissions on a GPO
Get-GPPermissions -Name "Server Hardening Policy" -All |
Select-Object Trustee, Permission | Format-Table
# Use WMI filtering for additional targeting (e.g., Windows 10 only)
# Create a WMI filter in GPMC (GUI) and link it to the GPOStep 5: Configure GPO Preferences
GPO Preferences (distinct from Policies) allow configuring settings that users can change, rather than enforcing them. They are useful for drive mappings, printer connections, and environment variables.
# GPO Preferences are typically configured via the Group Policy Management Editor GUI
# User Configuration -> Preferences -> Windows Settings -> Drive Maps
# User Configuration -> Preferences -> Control Panel Settings -> Printers
# The following cmdlets work with Preferences via the XML approach
# Get the current GPO settings in XML
$gpo = Get-GPO -Name "Workstation Security Baseline"
$gpoId = $gpo.Id.Guid
# Export a GPO to a backup (useful for documentation and version control)
Backup-GPO -Name "Workstation Security Baseline" -Path "C:GPOBackups"
# List all backed-up GPOs
Get-GPOBackup -All -Path "C:GPOBackups" |
Select-Object DisplayName, BackupTime, GpoId | Format-Table
# Restore a GPO from backup
Restore-GPO -Name "Workstation Security Baseline" -Path "C:GPOBackups"Step 6: Generate GPO Reports
# Generate an HTML report of a GPO's settings
Get-GPOReport `
-Name "Workstation Security Baseline" `
-ReportType Html `
-Path "C:ReportsWorkstation-Security-Baseline.html"
# Generate XML report (useful for parsing or importing)
Get-GPOReport `
-Name "Workstation Security Baseline" `
-ReportType Xml `
-Path "C:ReportsWorkstation-Security-Baseline.xml"
# Generate reports for ALL GPOs
Get-GPO -All | ForEach-Object {
$safeName = $_.DisplayName -replace '[\/:*?"|]', '_'
Get-GPOReport -Name $_.DisplayName `
-ReportType Html `
-Path "C:ReportsGPOs$safeName.html"
Write-Host "Report saved for: $($_.DisplayName)"
}Step 7: Troubleshoot Group Policy Application
# Force an immediate Group Policy refresh on the local machine
gpupdate /force
# Force refresh on a remote computer
Invoke-GPUpdate -Computer "workstation01" -Force -RandomDelayInMinutes 0
# Check which GPOs are applied to the current user/computer
gpresult /r
# Get detailed GPO application results for a user on a computer
gpresult /scope computer /v
gpresult /scope user /v
# Generate an HTML RSoP report for a specific user and computer
Get-GPResultantSetOfPolicy `
-ReportType Html `
-Path "C:ReportsRSoP-WS01-jsmith.html" `
-Computer "workstation01" `
-User "CORPjsmith"
# Check Group Policy event log for errors
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" `
-MaxEvents 50 |
Where-Object { $_.LevelDisplayName -in "Error","Warning" } |
Select-Object TimeCreated, LevelDisplayName, Message |
Format-List
# Check for GPO processing errors
Get-EventLog -LogName Application -Source "SceCli" -Newest 10
# Set GPO link order (lower number = higher precedence)
Set-GPLink `
-Name "Server Hardening Policy" `
-Target "OU=Servers,OU=Corp,DC=corp,DC=example,DC=com" `
-Order 1
# Block GPO inheritance on a specific OU (prevents parent GPOs from flowing down)
Set-GPInheritance `
-Target "OU=Special-Servers,OU=Corp,DC=corp,DC=example,DC=com" `
-IsBlocked YesGPO Naming and Structure Best Practices
# Recommended GPO naming convention:
# [Scope]-[Role/Target]-[Function] - [Action]
# Examples:
# CORP-ALL-Security Baseline - Enforce
# CORP-Servers-Windows Update - Configure
# CORP-Workstations-Software Restrictions - Enforce
# CORP-Finance-Drive Maps - Preferences
# List GPOs that are not linked anywhere (potential cleanup targets)
Get-GPO -All | ForEach-Object {
$links = (Get-GPOReport -Name $_.DisplayName -ReportType Xml) -match ""
if (-not $links) {
Write-Host "UNLINKED GPO: $($_.DisplayName)"
}
}
# Check for disabled GPOs (might be candidates for removal)
Get-GPO -All | Where-Object { $_.GpoStatus -ne "AllSettingsEnabled" } |
Select-Object DisplayName, GpoStatusSummary
Group Policy is the most powerful configuration management tool in the Windows Server 2012 R2 ecosystem. The key operational practices are: create dedicated GPOs for each distinct configuration area (security baseline, Windows Update, drive maps) rather than cramming everything into one massive GPO, use security filtering to apply GPOs to specific groups rather than all objects in an OU, always test new GPOs against a test computer group before linking to production OUs, back up all GPOs regularly and before making changes, use gpresult and RSoP reporting to diagnose unexpected policy behaviour, and maintain a consistent naming convention so that the purpose of every GPO is self-evident from its name. The Group Policy PowerShell module makes all of this fully scriptable, enabling GPO configuration to be version-controlled and deployed as code.
