ManageEngine x Forrester | Tips to strengthen security in the age of AI

Active Directory Policies

Group Policy Objects

What is a Group policy object?

A virtual group of policy settings is called a Group Policy Object (GPO). A GPO has a distinctive name, like a GUID (globally unique identifier). GPOs can be created like any other active directory object and are linked to a Site, domain, or OU in which the policy settings have to be applied. GPO settings are evaluated by clients using the hierarchical nature of Active Directory. On solitary PCs, Group Policy Object management without Active Directory is possible thanks to a variant of Group Policy called Local Group Policy (LGPO or LocalGPO).

Examples of GPOs

Following are a few examples of how Group Policy Objects can be used in various ways that aid security:

  • A Group Policy Object can specify the home page that a user sees after logging into the domain and launching their internet browser.
  • GPOs allow administrators to control which network-connected printers are listed as available printers when a user registers on to the domain from a particular Active Directory OU.
  • Admins can also use GPOs to modify various security procedures and guidelines, such as limiting internet connection options, software, and even screen time.

Structure of GPO

Computer’s file system pathComputer’s directory service path
 Users file system pathUsers directory service path

Where do GPOs store their information?

The GPO stores its configuration information in two locations:

Group Policy Container (GPC) and Group Policy Template (GPT).

Group Policy Container (GPC)

GPC is an object which contains information like GPO’s name, ACL, version information, and enable/disable status. It is stored in the CN=Policies, CN=System container of the domain.

Group Policy Template (GPT)

GPT is stored as files on the SYSVOL directory on every domain controller in the domain. It contains the administrative templates and scripts related to the GPO. The contents of the SYSVOL folder are replicated between all the domain controllers in the domain.

The Group Policy Object Editor, which is a standalone utility, is a tool that administrators can use to build Group Policy. However, using the Group Policy Object Editor as an add-on to an MMC snap-in for Active Directory is advised, since, it will enable you to search Active Directory for the appropriate Active Directory container and construct Group Policy based on the chosen scope of administration (SOM). For example, snap-ins that are related to Active Directory include Active Directory Users and Computers and Active Directory Sites and Services.

Group policy settings

Be aware that there are two types of policy settings: Those that influence a computer and those that affect a user.

  • System behavior, application settings, security settings, assigned apps, and startup and shutdown procedures are all specified by computer-related policies.
  • User-related policies define user logon and logoff scripts, folder redirection, assigned and published apps, security settings, application settings, and system behavior. Be mindful that computer-related settings take precedence over those made by users.

How do GPOs function?

Initially, two GPOs are created automatically when the AD domain is created:

  • Default Domain Policy: sets default values for the three important areas of password policy, account lockout policy, and Kerberos policy for all users and computers inside a domain.
  • Default Domain Controllers’ Policy: creates standard security and auditing configurations for each domain controller.

A GPO must be applied (connected) to one or more Active Directory containers, like a site, domain, or organizational unit(OU), for it to take effect.

As a majority of enterprises only employ a small portion of the policies offered by Microsoft, they can easily wind up with hundreds or thousands of GPOs created over time to finely govern different elements of their IT environment.

How are Group policy objects created?

Every user who uses the system is impacted when Group Policy is created at the local level. However, once you take action and use Active Directory, you may have virtually unlimited Group Policy objects and choose just which users and computers will receive which settings.

When a GPO is created, two things happen: Some brand-new entries within Active Directory occur, and automatically some brand-new files are created on our domain controllers. These collectively make up one GPO.

In order to establish a group policy object, follow these steps, but bear in mind that you must be logged in as a user account that has permission to do so:

  • Go to Start -> Administrative tools -> and select Group policy management
  • Ensure you expand your Active directory forest to domains in order to find the Group Policy objects node linked to your domain in the dropdown
  • Right-click on Group Policy Objects, click on New, choose a name and then press Ok
  • In the left pan, expand the container of Group Policy Objects, right-click on the GPO you created, and then choose Edit in order to open the Group Policy Management Editor window and set up the required settings you need.
  • In order to link a GPO with a setting you’ve configured, go to the organization unit named Domain controllers, right-click, then select Domains, then choose the option, Link a GPO

A GPO can only be utilized within the domain in which it was formed after being created.

To apply a GPO’s settings, you link it to one or more sites, domains, or OUs:

  • No matter which domain or OU a particular account is in, if a GPO is linked at the site level, its settings apply to all user accounts and computer accounts in that particular site. This is configured using Active Directory Sites and Services and is based on the IP subnet that the user’s PC belongs to.
  • When a GPO is linked at the domain level, all users and computers in the domain, across all OUs below it, are affected.
  • When a GPO is linked at the OU level, it has an impact on every user or machine in that OU as well as all OUs below it (which are called child OUs or sub-OUs).

You can however step in and manage how GPOs are applied to a specific domain, site, or OU by doing any of the following:

  • Changing the link order: In the event of a conflict, the setting in the GPO with the lowest link order will take precedence because it is processed last and has the highest priority.
  • Blocking inheritance: All GPOs are automatically inherited by child OUs from the parent, however, you can prevent this inheritance.
  • Enforcing a GPO link: By default, any conflicting settings in GPOs linked to child OUs take precedence over the settings for parent OUs, but you may reverse this behavior by setting a GPO link to Enforced.
  • Disabling a GPO link: For all GPO links, the processing is by default turned on. However, by turning off the GPO link for a specific container, you can stop a GPO from being applied to that container.

Incase you want to link a GPO to more than one domain, then you must:

  • Create exactly the same GPO in each domain using the GPMC (group policy management console).
  • Using the GPMC or a third-party tool, create the GPO in one domain and duplicate it in the other domains.
  • Utilize policy linking between domains. However, it is well acknowledged that this is a harmful practice.

Group Policy Objects benefits

With the help of Group Policy Objects, organizations can take care of their management and secure their IT infrastructure. Following are some advantages of GPO:

  • Strong password policy: The password standards of many firms are lenient, and many individuals frequently have their passwords configured never to expire. Passwords that aren’t frequently changed, are overly simple or employ obvious passphrases are vulnerable to brute force attacks. GPOs can be used to set restrictions for password complexity, length, and other factors.
  • Principle of least privilege: The users are given restricted access to specific resources for better security. Here, the access they require is only to complete a necessary activity and nothing more. You may, for instance, turn off local admin access and grant admin permissions on a per-role basis.
  • Regular health checks: GPOs can be used to install software updates and system patches in order to keep your environment secure and up to date against the most recent security threats.
  • Management of systems: Tasks that are at best mundane and extremely time-consuming can be made simpler with the help of GPOs. By using GPOs to apply a defined, global one, you can save yourself countless hours of work configuring the environment of new users and PCs joining your domain.

Group policy objects best practices

  • To make installing and troubleshooting Group Policy simpler, establish an effective organizational unit structure in Active Directory.
  • Give GPOs names that are descriptive so that administrators can readily understand what each GPO accomplishes.
  • Setting GPOs at the domain level will cause them to be applied to all user and machine objects, therefore avoid doing so. This can result in some settings being applied to some objects mistakenly.
  • Each GPO should have a remark stating why it was formed, what it is for, and how it is set up.
  • Don’t disable a GPO. If you don’t want the GPO to be applied, delete the link from an OU instead of disabling it. The GPO cannot be fully implemented in the domain if it is disabled. This could be a problem since if that Group Policy is utilized in another OU, it will no longer function there.

When it comes to using IT resources to do their jobs, group policies are essential for guaranteeing that employees of an organization may do so without incident.

People also read

Windows Group Policy Object Inheritance: Explained

Managing GPOs in Active Directory

Managing GPOs with Group Policy Management Console

Group Policy Objects (GPOs): Different Policy Settings

Group Policy

Related posts
Active Directory Policies

Block windows app installation with elevated privileges using GPO

Active Directory Policies

GPO to prevent regular users from changing MSI installation options

Active Directory Policies

GPO to prevent autoplay on non-volume devices

Active Directory Policies

Prevent remote logon for local accounts with blank password - GPO


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.