Group Policy Management Console showing linked GPOs and OU structure

Group Policy Deep Dive: Create, Link & Troubleshoot GPOs

/ Career & Learning / By

Imagine configuring a setting on 500 workstations. One by one. Now imagine changing it once and having it apply everywhere. That’s Group Policy.

GPO is one of those skills that immediately identifies you as someone who understands enterprise Windows. If you can design, implement, and troubleshoot Group Policy, you’re valuable.

What you’ll learn:

  • What Group Policy is and how it works
  • Creating and linking GPOs
  • Inheritance, precedence, and enforcement
  • Essential policies every admin should know
  • Troubleshooting GPO issues

Career Value: Group Policy expertise is a core requirement for Windows infrastructure roles. Understanding LSDOU, security filtering, and GPO troubleshooting separates helpdesk technicians from infrastructure engineers. This skill directly impacts salary ranges – expect GBP 45-65k+ for roles requiring solid GPO knowledge.

Group Policy Management Console: Control hundreds of machines from one interface

Quick Reference

Concept What It Is Remember
GPO Group Policy Object – container for settings Lives in AD, links to OUs
GPMC Group Policy Management Console Your main tool
gpupdate Force policy refresh gpupdate /force
gpresult See applied policies gpresult /r
RSoP Resultant Set of Policy What actually applies
LSDOU Processing order Local – Site – Domain – OU

How Group Policy Works

The Concept

  1. You create a GPO containing settings
  2. You link the GPO to a container (Site, Domain, OU)
  3. Objects in that container receive the settings
  4. Settings refresh periodically (90 mins + random offset)

What Can GPO Control?

Computer Configuration:

  • Security settings
  • Software installation
  • Startup/shutdown scripts
  • Windows settings
  • Registry settings

User Configuration:

  • Desktop settings
  • Folder redirection
  • Logon/logoff scripts
  • Software restrictions
  • Browser settings

Creating Your First GPO

Open GPMC

Server Manager → Tools → Group Policy Management

Or run: gpmc.msc

Create and Link

  1. Navigate to the OU you want to target
  2. Right-click – “Create a GPO in this domain, and Link it here…”
  3. Name it descriptively: SEC-Workstations-ScreenLock

Naming Convention Tip:

  • SEC- = Security policies
  • CFG- = Configuration policies
  • SW- = Software deployment
  • Target in name = clear scope

Edit the GPO

Right-click – Edit

You’ll see two main sections:

  • Computer Configuration – Applies to computers
  • User Configuration – Applies to users
[SCREENSHOT: Group Policy Management Editor]

Essential Policies Every Admin Should Know

Security Policies

Password Policy (Computer – Windows Settings – Security Settings – Account Policies)

Minimum password length: 12 characters
Password complexity: Enabled
Maximum password age: 90 days

Account Lockout (Same location)

Lockout threshold: 5 invalid attempts
Lockout duration: 30 minutes
Reset counter after: 30 minutes

Audit Policy (Computer – Windows Settings – Security Settings – Local Policies – Audit Policy)

Audit logon events: Success, Failure
Audit account management: Success, Failure
Audit policy change: Success, Failure

Workstation Policies

Screen Lock (Computer – Administrative Templates – Control Panel – Personalization)

Enable screen saver: Enabled
Screen saver timeout: 600 seconds (10 min)
Password protect screen saver: Enabled

Windows Update (Computer – Administrative Templates – Windows Components – Windows Update)

Configure Automatic Updates: Enabled
- Auto download and schedule install
- Schedule: Every day at 3:00 AM

USB Restriction (Computer – Administrative Templates – System – Removable Storage Access)

Removable Disks: Deny write access: Enabled

User Policies

Folder Redirection (User – Windows Settings – Folder Redirection)

  • Redirects Documents, Desktop to network share
  • Data follows user, centralized backup

Drive Mapping (User – Preferences – Windows Settings – Drive Maps)

  • Map network drives at logon
  • Replace \\server\share to H:

Inheritance and Precedence

LSDOU: The Processing Order

L - Local Policy (on the machine)
S - Site Policy
D - Domain Policy
O - OU Policy (parent OUs first, then child OUs)
U - User policy (if conflict with computer)

Last applied wins (with exceptions).

Inheritance

By default, GPOs inherit down the OU tree:

Domain Policy
    +-- Applies to all OUs below
        +-- OU Policy
            +-- Applies to child OUs
                +-- Child OU can have own GPO too

Block Inheritance

On an OU: Right-click – “Block Inheritance”

This stops policies from above applying. Use sparingly – it makes troubleshooting harder.

Enforced (No Override)

On a GPO link: Right-click – “Enforced”

This GPO will apply even if child OUs block inheritance. Domain admins use this for critical security policies.

Enforced GPO > Block Inheritance > Normal GPO

Security Filtering and WMI Filters

Security Filtering

By default, GPOs apply to “Authenticated Users.” You can change this:

  1. Select the GPO in GPMC
  2. Look at “Security Filtering” section
  3. Remove “Authenticated Users”
  4. Add specific groups

Example: A GPO that only applies to IT staff:

  • Remove “Authenticated Users”
  • Add “IT-Staff” security group

WMI Filters

Apply GPOs based on computer properties:

Only apply to Windows 11:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.22%" AND ProductType = "1"

Only apply to laptops:

SELECT * FROM Win32_ComputerSystem WHERE PCSystemType = 2

Create WMI filters in GPMC – WMI Filters – New

Troubleshooting GPO

gpupdate: Force Refresh

# Refresh both computer and user policy
gpupdate /force

# Just computer policy
gpupdate /target:computer /force

# Just user policy
gpupdate /target:user /force

gpresult: See What’s Applied

# Summary of applied GPOs
gpresult /r

# Full report
gpresult /h C:\Temp\GPOReport.html

# For another user
gpresult /user jsmith /r

# Remote computer
gpresult /s WORKSTATION01 /r
[SCREENSHOT: gpresult output showing applied GPOs]

Common Issues

GPO Not Applying:

  1. Is the GPO linked? (Check GPMC)
  2. Is the GPO enabled? (Check both link and GPO status)
  3. Is the object in the right OU?
  4. Security filtering blocking it?
  5. WMI filter excluding it?
  6. Has policy refreshed? (gpupdate /force)

Conflicting Settings:

# Generate RSoP report
gpresult /h report.html

Check which GPO is “winning” for the setting in question.

Replication Issues:

# Check AD replication
repadmin /replsummary

# Check SYSVOL replication
Get-ChildItem "\\dc01\sysvol" -Recurse | Measure-Object
Get-ChildItem "\\dc02\sysvol" -Recurse | Measure-Object
# Counts should match

Best Practices

GPO Design

  1. One purpose per GPO – Don’t mix unrelated settings
  2. Descriptive namesSEC-Workstations-ScreenLock not GPO1
  3. Document everything – Use GPO comments and external documentation
  4. Test first – Use a test OU before production
  5. Disable unused sections – If only using Computer Config, disable User Config (faster processing)

OU Design for GPO

Domain
+-- Admin OUs (Domain Admins exempt from many policies)
+-- Workstations
|   +-- Standard (normal GPOs apply)
|   +-- Kiosk (locked-down GPOs)
|   +-- Test (new GPOs tested here first)
+-- Servers
|   +-- Domain Controllers
|   +-- Member Servers
|   +-- Test Servers
+-- Users
    +-- Standard Users
    +-- Admins
    +-- Service Accounts

Interview Questions

Q1: “A user says a policy isn’t applying. How do you troubleshoot?”

Good Answer: “First, I’d run gpresult /r on their machine to see what’s actually applying. I’d check if the GPO is in the list and if there are any denied GPOs. Then I’d verify in GPMC: Is the GPO linked? Is it enabled? Is the user/computer in the right OU? Is there security filtering blocking them? I’d also check gpupdate /force and wait for replication if it’s a new GPO.”

Q2: “Explain GPO inheritance and how to override it.”

Good Answer: “GPOs process in LSDOU order: Local, Site, Domain, OU – with last applied winning by default. Child OUs inherit from parents. You can block inheritance on an OU to stop policies from above, but an administrator can set a GPO to Enforced, which overrides blocking. In practice, I avoid blocking inheritance because it makes troubleshooting difficult – I prefer security filtering to target specific groups.”

Q3: “How would you deploy a security setting to all workstations but not servers?”

Good Answer: “Several ways. Best practice: Have separate OUs for workstations and servers, link the GPO only to the Workstations OU. Alternative: Use security filtering with a ‘Domain Computers’ minus ‘Servers’ approach, or use a WMI filter that checks for workstation OS. I prefer OU-based targeting – it’s clearer and easier to audit.”

Career Application

On your resume:

  • “Designed and implemented Group Policy architecture for 500+ workstation environment”
  • “Created security baseline GPOs aligned with CIS benchmarks”
  • “Reduced helpdesk tickets 40% through standardized desktop configuration via GPO”

Demonstrate:

  • Understanding of inheritance and precedence
  • Troubleshooting methodology
  • Security policy implementation
  • Testing and rollout procedures

Next Steps

  • Next in series: Windows Networking – DNS, DHCP for AD
  • Related: Security Hardening – GPO-based security
  • Practice: Create a test OU, build GPOs for password policy, screen lock, and drive mapping

With Group Policy, you control hundreds of machines from one console. Next: the networking foundations that make AD work.

Windows Fundamentals Series

Part 4 of 6

Previous: PowerShell Basics | Next: Windows Networking

Enjoyed this guide?

New articles on Linux, homelab, cloud, and automation every 2 days. No spam, unsubscribe anytime.

Scroll to Top