System
Difficulty: Intermediate
4 min read

GPOs on Windows Server: Centralized Management

Guide to configuring Group Policy Objects (GPOs) on Windows Server to manage workstation and user configurations.

Back to tutorials
What is a GPO?
A Group Policy Object (GPO) is a set of configuration settings that can be applied to users and/or computers in an Active Directory environment. It is Microsoft's primary tool for enforcing a standardized configuration and security rules across an IT fleet.

Why use GPOs?

  • Centralized management: Configure thousands of machines from a single console.
  • Security: Apply consistent security policies (password complexity, firewall rules, software restrictions, etc.).
  • Standardization: Make sure all workstations share the same baseline configuration (wallpaper, printers, shortcuts, etc.).
  • Automation: Deploy software, logon scripts, or network drive mappings automatically.

Prerequisites

  • A working Active Directory environment (at least one Domain Controller).
  • Domain Administrator rights or an appropriate delegation of permissions.
  • Client machines joined to the domain.

The basics of GPO management

Management is done through the "Group Policy Management Console" (GPMC), accessible from the Administrative Tools on a domain controller.

Structure and inheritance

GPOs can be linked at different levels of the Active Directory hierarchy:

  1. Domain: Applied to all users and computers in the domain.
  2. Organizational Unit (OU): Applied only to the objects contained in that OU and its sub-OUs. This is the most common and flexible method.
  3. Site: Based on network topology (less common).

By default, settings are applied hierarchically (Domain -> parent OU -> child OU). A GPO linked at a lower level overrides the settings of a higher-level GPO.

Create and link a GPO

Step 1: Create the GPO object

  1. Open the "Group Policy Management" console.
  2. Expand your forest and your domain.
  3. Right-click on "Group Policy Objects" and select "New".
  4. Give your GPO a meaningful name, for example "Security-Workstations".

Step 2: Link the GPO to an OU

  1. Navigate to the OU where you want to apply the policy (e.g. an OU containing your desktop computers).
  2. Right-click on the OU and select "Link an Existing GPO...".
  3. Choose the GPO you just created from the list.

Step 3: Edit the GPO

  1. In the console, under the OU, right-click on your new GPO and select "Edit...".
  2. The "Group Policy Management Editor" opens. This is where you configure the settings.

Computer Configuration vs User Configuration

  • Computer Configuration: Applies to the computer, regardless of which user logs on. Settings are applied at machine startup. E.g. software installation, firewall rules.
  • User Configuration: Applies to the user, regardless of which computer they log on to. Settings are applied at logon. E.g. network drive mapping, wallpaper.

Example: Enforce a wallpaper

  1. In the GPO editor, go to: User Configuration -> Policies -> Administrative Templates -> Desktop -> Desktop.
  2. Double-click on the "Desktop Wallpaper" setting.
  3. Select "Enabled", specify the path to an image on a network share accessible by everyone (e.g. `\server\share\wallpaper.jpg`), and choose a style (e.g. "Stretch").
  4. Click OK.

Application and troubleshooting

Force a GPO update

By default, clients refresh GPOs every 90 to 120 minutes. To test immediately, you can force the update on a client machine with the command:

gpupdate /force

Check the applied GPOs

The gpresult tool is your best friend for troubleshooting.

# Generate a detailed HTML report of the GPOs applied to the current user and computer
gpresult /h C:\temp\gpo_report.html

Open this report in a browser to see exactly which GPOs were applied and which settings result from them.

Security filtering
By default, a GPO applies to all "Authenticated Users". You can refine this by using "Security Filtering" in the GPMC console to target only a specific security group (e.g. an "Accounting" or "Laptops" group).
Default domain GPOs
Be very careful when modifying the two GPOs created by default: "Default Domain Policy" and "Default Domain Controllers Policy". The "Default Domain Policy" should ideally only contain the password policy settings for the domain.

Conclusion

GPOs are the backbone of managing a Windows fleet in the enterprise. Mastering them is a fundamental skill for any system administrator. By structuring your Organizational Units correctly and creating modular, well-documented GPOs, you can manage a complex environment efficiently, consistently and securely.

Written by

Morgann Riu

Cybersecurity and Linux administration expert. I share my knowledge through free tutorials and training to help system administrators and developers secure their infrastructures.

Share this tutorial

Did you enjoy this article?

Comments

Checklist Sécurité Linux

30 points essentiels pour sécuriser un serveur Linux. Recevez aussi les nouveaux tutoriels par email.

Pas de spam. Désabonnement en 1 clic.