Windows Server hub
run your softwareintermediate9 min read·Updated Apr 20, 2026

Active Directory Group Policy from Scratch

Create your first GPO in 30 minutes: open gpmc.msc, link to an OU, set policies, test on one OU before broad deployment. Backup + restore included.

On this page

Don't have a Windows Server yet?

Deploy Windows Server 2019/2022/2025 in ~2 minutes. 6-month evaluation licence included.

Deploy Windows now

In short

Group Policy (GP) lets you enforce settings across every domain-joined computer + user — passwords, drive mappings, software install, browser config, Windows Update, anything. Setup: open Group Policy Management Console (gpmc.msc) on a DC, right-click your Organisational Unit (OU)Create a GPO and Link it Here, set policies, wait for users to refresh (90-min default cycle, or gpupdate /force for immediate). Test on a single OU before applying to "Authenticated Users".

What you'll need

  • Active Directory domain with a DC (see Promote a Windows VPS to a Domain Controller)
  • Domain Admin credentials (or delegated GPO management rights)
  • At least one domain-joined client to test against
  • Group Policy Management feature installed (default on DCs; install via Install-WindowsFeature GPMC on member servers if needed)
  • 30 minutes for first GPO; <5 min for subsequent

Group Policy concepts (briefly)

  • GPO (Group Policy Object) = a collection of settings stored in AD + SYSVOL
  • Linked to: Site, Domain, or Organisational Unit (OU) — the more specific the link, the higher the precedence
  • Policy refresh = clients pull GPO changes every 90 minutes ± 30 (default), at startup, and at login
  • Loopback Processing = special mode for kiosks / RDS hosts where the User policy follows the COMPUTER not the user

Step 1 — Open Group Policy Management Console

On a DC:

  1. Press Win + Rgpmc.msc
  2. Expand Forest: contoso.localDomainscontoso.local
  3. You'll see existing GPOs (default: Default Domain Policy, Default Domain Controllers Policy)

DO NOT modify the Defaults. Always create new GPOs and link them — keeps a clear audit trail and avoids breaking baseline AD/security defaults.

Step 2 — Create your first GPO (example: password policy override for one OU)

  1. Right-click an OU (e.g. Accounting) → Create a GPO and Link it Here…
  2. Name: Accounting - Password Lockout
  3. Right-click the new GPO → Edit
  4. Group Policy Management Editor opens
  5. Navigate: Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Account Lockout Policy
  6. Set:
    • Account lockout threshold: 5 invalid attempts
    • Account lockout duration: 15 minutes
    • Reset account lockout counter after: 15 minutes
  7. Close the editor

The GPO is now linked. Apply on a client:

Powershell
gpupdate /force
gpresult /r  # see what GPOs apply to current user

Common GPOs to set early

1. Disable Print Spooler on servers (security)

  • Computer Configuration → Policies → Windows Settings → Security Settings → System Services → Print Spooler
  • Set Startup mode: Disabled

2. Force minimum password complexity

  • Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy
  • Minimum password length: 14
  • Password must meet complexity requirements: Enabled
  • Maximum password age: 90 days

3. Map a network drive at logon

  • User Configuration → Preferences → Windows Settings → Drive Maps
  • Right-click → New → Mapped Drive
  • Drive Letter: H:, Path: \\fileserver\users\%username%
  • Replace existing connections at startup

4. Allow RDP connections

  • Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections
  • Allow users to connect remotely by using Remote Desktop Services: Enabled

5. Configure Windows Update for Business (defer feature updates)

  • Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Update → Manage updates offered from Windows Update
  • Select when Preview Builds and Feature Updates are received: Enabled, defer 60 days

Step 3 — Test on one OU before broad deployment

GPO precedence: linked at the most specific scope wins. To safely test:

  1. Create a test OU (e.g. Test_Users)
  2. Move 1-2 test user accounts into it
  3. Link your new GPO to ONLY that OU
  4. Wait 90 minutes (or gpupdate /force on the client)
  5. Verify the policy applied as expected
  6. Once confirmed, link to broader scope (Domain or production OU)

Use Group Policy Modeling (in GPMC) to predict effects before applying.

Step 4 — Verify what GPOs apply

On any client:

Powershell
# What GPOs apply to current user
gpresult /r

# Detailed HTML report
gpresult /h C:\GPOReport.html

# Force a refresh
gpupdate /force

In GPMC, Group Policy Results (right-click → Group Policy Results Wizard) shows what's applied to a specific user/computer combination.

Group Policy Preferences (GPP) vs Policies

Two flavours:

  • Policies — enforced; user can't change. Stored under Policies keys. UI shows "settings"
  • Preferences — applied as "defaults" but user can change after. Stored under regular keys. UI shows "settings" too (confusing)

Use Policies for security (passwords, firewall, audit). Use Preferences for convenience (drive maps, printer mappings, registry tweaks).

Common mistakes

  1. Editing the Default Domain Policy — pollutes the baseline; hard to roll back. Always create new GPOs.
  2. Linking too broadly — linking a test GPO to the entire Domain breaks production. Use OUs.
  3. Forgetting gpupdate /force after a change — clients refresh every 90 min, easy to forget if you're testing
  4. GPO not applying despite link — check security filtering. By default "Authenticated Users" applies, but if you've replaced it with a specific group, computers may be excluded
  5. Loopback processing not enabled on RDS hosts — User policy follows the user, but on a shared RDS host you usually want the User policy to follow the COMPUTER. Enable Loopback Processing for RDS Session Host OUs
  6. No backup — GPO Backup Wizard runs in 30 seconds. Run it monthly so you can restore a broken GPO

Backup + restore GPOs

Powershell
# Backup all GPOs
Backup-GPO -All -Path C:\GPOBackups\$(Get-Date -Format yyyy-MM-dd)

# Restore a specific GPO
Restore-GPO -Name "Accounting - Password Lockout" -Path C:\GPOBackups\2026-04-20

Schedule monthly via Task Scheduler.

Tested on

[HUMAN-REQUIRED: Replace before publishing.]

Tested on Raff Windows VPS, $36 plan (4 vCPU / 8 GB), Windows Server 2022 build [VERIFY], promoted DC, 6 GPOs across 4 OUs, 25 client computers domain-joined, [DATE]. Tester: [Engineer name].

What's next

Sources

Published April 20, 2026 · Last updated April 20, 2026
Deploy Windows nowBack to hub

Related articles

run your software

Host Sage 50, 100, and 300 on a Windows VPS

Set up Sage 50, Sage 100, or Sage 300 on a Windows VPS for remote accounting teams. Covers sizing, RDS access, backups, and common pitfalls.

11 min read6/20/2026
run your software

Free SSL on IIS with Let's Encrypt and win-acme

Install a free Let's Encrypt certificate on IIS with win-acme, bind it to your site, and verify automatic renewal on a Raff Windows VPS in 45 minutes.

12 min read6/1/2026
run your software

Active Directory Replication Topology for 2-DC Setups

For 2 DCs in one site, default replication just works. Multi-site needs Sites/Subnets/Site Links. FSMO placement + repadmin /replsummary monitoring.

9 min read4/20/2026