Group Policy Objects (GPOs): How They Work & Configuration Steps

Group Policy Objects (GPOs) let system admins control and implement cybersecurity measures from a single location. Learn about GPOs and how they work here.
David Harrington
6 min read
Last updated June 12, 2023

Group policy objects (GPOs) are extremely useful tools for system administrators. With a GPO, sysadmins can manage and configure applications, software operations, and user settings throughout an entire organization. Admins can use GPOs as an efficient, centralized way of helping a company’s entire IT stack and user base to operate more safely and efficiently.

Whether you’re familiar with GPOs or have yet to implement them, we’ll give you all the basics of what GPOs are and how they work. We’ll also offer some tips and advice on configuring and maintaining your GPO. Finally, we’ll take you through how GPOs relate to your cybersecurity posture and how to use them safely.

Get a Free Data Risk Assessment

What is a group policy object? 

A GPO is a predefined command, script, or task execution template controlling any number of Windows OS systems and policies. GPOs come standard with — and are managed through — Microsoft Active Directory. Through Active Directory, system administrators can apply GPOs to users, machines, or software throughout an entire organization.

System admins use GPO to adjust and customize settings for some of the following key areas: registry-based policies, security options, software installation and maintenance options, scripts options, and folder redirection options. In short, GPOs allow administrators to remotely manage entire fleets of systems and software solely from Active Directory.

Use cases and examples of GPOs

When implemented properly, GPSs can increase the security of individual users’ computers across an entire organization, defending against both insider threats and external hacks. GPOs help secure your company’s network and can do things like stopping users from accessing certain information or preventing tasks from being performed that might jeopardize critical systems or data.

In general, there are three different types of GPOs:

  1. Local GPOs: A collection of group policy settings that only apply to the local computer and to the users who log into that computer. Local GPOs are used when policy settings need to apply to a single Windows computer or user. Local GPOs exist by default on all Windows computers. 
  2. Non-local GPOs: These are used when policy settings have to apply to one or more Windows computers or users. Non-local GPOs apply to Windows computers or users once they’re linked to Active Directory objects, such as sites, domains or organizational units.
  3. Starter GPOs: Introduced in Windows Server 2008, starter GPOs are templates for Group Policy settings. These objects enable an administrator to create and have a pre-configured group of settings that represent a baseline for any future policy to be created.

After deciding what types of GPOs to implement across your network, you’ll want to understand the order that GPOs are processed.

How are GPOs processed? 

GPO processing order: Local > site > domain > organization unit

GPOs are processed in what’s known as an LSDOU order: local, site, domain, organization unit (OU). That means first, the policy on the local computer gets processed. This is followed by Active Directory policies from the site level to the domain. The next order of processing is into the organizational unit. GPOs that are nested within organizational units apply from the closest OU to the root, then continue outwards from there. If any conflicts arise, the last applied policy will take precedence and effect. 

Three steps to configure group policy objects 

Creating, editing, or deleting GPOs is all atypically done through the Group Policy Management Console (GPMC). The GPMC is usually available by default on domain controllers. But if it’s not, you can simply install it on your servers using the Install-WindowsFeature command line. Once you’ve accessed the GPMC interface, you’re ready to begin the setup and configuration of your GPOs.

Step 1: Link group policy to domain

gpo-1

Once you’re in the GPMC tool, you’ll be able to view the entire OU structure of your domain. To apply a group policy, you’re required to link that policy with an OU. Once you’ve linked the GPO, the policy will begin applying to users, devices, or clients in the linked OU and in any sub-OUs. To create a new GPO in GPMC, simply right-click the OU where you want the policy to be linked and take effect. Then select the “Create a GPO in this domain, and Link it Here” option.

Step 2: Configure your GPO in settings

gpo-2

Once you’ve selected the Create GPO option, you’ll have then created a GPO which you can then configure to your desired settings. You’ll also want to take note of the difference between the actual GPO and the GPO link. The link ensures that the GPO is applied to the correct users and/or devices across the OU. You can delete the link if you want to re-assign the GPO, but you want to make sure not to delete the GPO itself in the process of OU re-assignment. Moreover, a single GPO can be linked to multiple OUs. Making changes to a single GPO will also affect the links and all associated OUs.

Step 3: Set GPO appliance order

gpo-3

Finally, you’ll want to configure the order that you want your GPOs to apply in the OUs they’re linked to. You should avoid configuring conflicting settings in your GPOs from the beginning as a rule of thumb. GPOs set with a lower link order -- such as 1 -- will override GPOs with a higher link order when processing. Moreover, GPOs set at a lower level OU will override GPOs set at a higher level OU. So make sure you configure the most important GPOs at the lowest link order and OUs, proceeding sequentially.

Once you have your GPOs set up and configured, you’ll want to take the right steps to maintain them over time.

How to maintain group policy objects

You’ll want to apply a few core principles and best practices to maintain your GPOs over time and ensure they’re functioning properly. First, you’ll want to give each GPO a descriptive name so that any admin can quickly identify what each GPO does and why it exists. You should also add comments to each GPO, explaining how and why it was created along with the preferred settings.

You’ll also want to backup your GPOs in a fully recoverable format. Backing up GPOs can be done through GPMC and is a basic step that any organization should take to ensure their GPOs and associated settings can easily be re-implemented and re-applied in the event of a system breach or hack that affects your GPOs. Clearly labeling your GPOs so that any future admins can work with them, and backing up your GPOs, are the two key actions you need to take for GPO maintenance.

Are GPOs right for your security strategy?

Using GPOs can be a highly effective security strategy because it lets admins implement security measures across an entire organization quickly and conveniently from the Active directory. But there are several key factors to consider in terms of whether or not GPOs represent a good security strategy within your individual organization.

When do GPOs work best?

When you install and configure GPOs properly, there are a number of security benefits to your organization.

Here’s what to expect when GPOs work:

  • Strong password policies: Too many organizations operate with lax password policies or poor enforcement capabilities of the ones that exist. Users also tend to have existing passwords that are never set to expire, leaving them vulnerable to hacking. GPOs can be implemented for stronger organization-wide password measures, setting parameters for things like password length, required complexity, and regular expirations for password rotation.
  • Better folder protection: GPOs let companies ensure that users are storing important company files on a centralized, protected, and monitored storage system. For example, an organization can redirect a user’s Documents folder, which is usually stored on a local storage drive, to a more secure network location. Implementing GPOs, therefore, safeguards files on local computers or devices if configured properly.
  • Ease of security management: From a more strategic level, GPOs allow systems administrators, executives, and IT leaders to manage various cybersecurity efforts conveniently from a single location and interface in Active Directory. GPOs also make it quick and easy to implement new security measures without having to coordinate with various business units or other managers. By utilizing GPOs for security measures and policies, you’ll be able to adjust your cyber security posture on the fly.

Despite the benefits of employing GPOs, there are a few limitations that you’ll want to be aware of before putting them into place.

When aren't GPOs enough? 

Employing GPOs is far from a cybersecurity cure-all when it comes to network, systems, and data security. Primarily, GPOs themselves are not fully immune to cyberattacks. If a hacker wanted to change local GPOs on a specific computer to move laterally across the network, it could potentially be done. Such activity would also be hard to detect without advanced Group Monitoring software in place.

The GPO editor is also far from the most user-friendly console and interfaces you’ll come across. That makes it important for administrators to have a deep understanding of PowerShell to make sure that all the GPO updates take place. Failure to update GPOs properly and on a regular basis can result in cybersecurity vulnerabilities over time. There’s also no built-in search or filter option to locate specific settings within a single GPO. This creates difficulty finding or fixing issues with existing settings.

Closing thoughts

Implementing GPOs is a good step to monitoring and securing Active Directory, as well as applying cybersecurity measures across organization units. To get the most out of GPOs, you’ll want to make sure to be thorough in the setup and configuration process, setting the right hierarchies and associated business groups. While GPOs can’t do the job alone, they can provide an important layer of protection along with a strong internal policy, technology stack, and cybersecurity partner.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

group-policy-editor-guide:-access-options-and-how-to-use
Group Policy Editor Guide: Access Options and How to Use
Group Policy Editor (gpedit) is an important part of the Active Directory system administrator’s toolkit. Read this blog for more details about gpedit.
12-group-policy-best-practices:-settings-and-tips-for-admins
12 Group Policy Best Practices: Settings and Tips for Admins
Group Policy configures settings, behavior, and privileges for user and computers. In this article, you’ll learn best practices when working with Group Policy.
how-can-i-find-out-which-active-directory-groups-i’m-a-member-of?
How Can I Find Out Which Active Directory Groups I’m a Member Of?
The ability to administer and maintain up-to-date user lists and groups is critical to the security of an organization. There are a number of different ways to determine which groups...
working-with-windows-local-administrator-accounts,-part-i
Working With Windows Local Administrator Accounts, Part I
In writing about hackers and their techniques, the issue of Windows local Administrator accounts often comes up. Prior to Windows 7, the Administrator account was created by default with no...