Group Policy

Website dedicated to Group Policy


Group policy for beginners:


GPMC – Group Policy Management Console.

Group Policy – User and computers

Group policy has two main configurations, User and Computers:

  • Computer policy is applied to the computer despite of the logged user
  • User configuration is applied to the user despite of the computer he is logged on.

GPO – Group Policy Objects

Group Policy applies to computer settings when Windows starts and to user settings after the user logon / logoff the computer.

There are 3 major operations in Group policy:

  1. Create a Group policy for users or computers.
  2. Edit the Group policy. This means we can enable to disable options / implement restrictions etc.
  3. Link the Group Policy to an OU / Domain.


Top ten reasons Group Policy fail to apply

1. DNS IP Address is Not Configured Correctly
2. Group Policy Object (GPO) is Not Linked
3. GPO Setting is For the Wrong Object Type
4. GPO Setting is Not Set For Correct Value (Enabled or Disabled)
5. User or Computer Object is Not in Correct Organizational Unit (OU)
6. GPO Setting Is Being Controlled by GPO with Higher Precedence
7. Security Filtering is Not Configured Correctly on GPO
8. Enforced (No override) is Set on GPO
9. Block Inheritance is Set on Active Directory Node
10. WMI filter is incorrect

See below links for more details.


How are the GPOs applied? What is the GPO order of precedence?

Group policy precedence is L S D OU.

  • Local Group Policy
  • Site
  • Domain
  • Organization Unit (OU)

Loop back Group Policy


Loopback processing of Group Policy is usually used on Terminal Servers. For example you have users with enabled folder redirection settings, but you do not want these folder redirection to work when the users log on to the Terminal Server, in this case we enable Loopback processing of Group Policy in the Policy linked to the Terminal Server’s Computer account and do not enable the folder redirection settings. In this case, once the User logged on to the Terminal Server his folder redirection policy will not be applied.


Group Policy related commands

gpupdate is a command to enforce Group policy and refresh.

  1. Resultant Set of Policy (RSop):

RSop is used to identify the GPOs that are being applied to an object (computer or user).

Once RSop is installed, you can launch it by Run -> RSop.msc or Through Microsoft Management Console (MMC)

2. GPResult

GPresult is a command which gives more detailed information than RSoP. This is for OS from Vista with SP1 onwards.

To find the applied group policy on a machine:
1. Open command prompt (Run -> Cmd)
2. Type gpresult -r and press enter


Windows 2012 R2 server Group policy for Windows XP clients

If the Windows XP clients does seem to work with the Group Policy you have created in your Windows 2012 R2 Domain controller, then you may want to install Group Policy Client side extension on your Windows XP client machines.


Group Policy objects

GPOs contain policy settings. You can think of GPOs as policy documents that apply their settings to the computers and users within their control. If GPOs are policy documents, then the GPMC is like Windows Explorer. You use the GPMC to create, move, and delete GPOs just as you use Windows Explorer to create, move, and delete files.

Group policy links

GPOs in the Group Policy objects folder have no impact unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO’s settings to the computers and users in that container.


We can apply maximum of 999 Group policies to an object / OU in AD

More info: There is a limit of 999 Group Policy objects (GPOs) that you can apply to a user account or computer account. This does not mean that the total number of policy settings on the system is limited to 999. Rather, a single user or computer will not be able to process more than 999 GPOs. This limit exists for performance reasons.


Default Group policy refresh interval is 90 minutes.

If you change Group policy settings in the AD, clients will get it in the next 90 minutes.


Addressing Client Time zone change / time change issue with a bat file through Group Policy


AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.