⚡ Quick Answer
A Group Policy Object (GPO) is a collection of settings that controls the configuration of users and computers in an Active Directory environment. GPOs are created in the Group Policy Management Console (GPMC) and linked to Sites, Domains, or Organizational Units (OUs). They apply in a specific order — Local → Site → Domain → OU (LSDOU) — with later policies overwriting earlier ones by default. GPOs are the primary way Windows domain administrators enforce security settings, software deployment, and desktop configuration across hundreds or thousands of machines.
What Group Policy Does
Group Policy lets an administrator define a setting once and have it automatically apply to every machine or user in scope — without touching each machine individually. Common uses include enforcing password complexity, mapping network drives, restricting USB access, deploying software, configuring Windows Firewall, and setting the desktop wallpaper.
Group Policy settings are split into two categories: Computer Configuration (applies to the computer regardless of who logs in) and User Configuration (applies to the user account regardless of which computer they log into).
Computer Configuration
Applies at computer startup
Settings that apply to the machine itself — regardless of which user logs in. Processed when the computer boots and joins the domain. Examples: Windows Firewall rules, software installation, startup scripts, BitLocker enforcement, disabling USB ports.
User Configuration
Applies at user logon
Settings that follow the user account — wherever they log in on the domain. Processed when the user logs on. Examples: mapped drives, folder redirection, browser homepage, desktop wallpaper, logon scripts, restricting Control Panel access.
GPMC
gpmc.msc
The Group Policy Management Console — the primary tool for creating, editing, linking, and troubleshooting GPOs. Available on domain controllers and on machines with Remote Server Administration Tools (RSAT) installed.
Local Group Policy
gpedit.msc
Every Windows machine has a local Group Policy that applies even without a domain. Only available in Windows Pro and above (not Home). Settings here apply only to the local machine and are overridden by domain GPOs if the machine is joined to a domain.
GPO Processing Order — LSDOU
When a machine boots or a user logs on, Windows applies GPOs in a specific order. Each level can override the previous one — so the last policy applied wins (unless enforcement is used).
Local
1. Local GPO
Applied first. Settings defined in gpedit.msc on the local machine. Lowest priority — overridden by all domain policies. Still applied if the machine is not domain-joined.
↓ applied next, can override Local
Site
2. Site GPO
Applied second. Site GPOs are linked to Active Directory Sites (physical network locations). Rarely used — typically for location-specific settings like time zones or regional printers.
↓ applied next, can override Site
Domain
3. Domain GPO
Applied third. Linked to the entire domain — applies to all users and computers in the domain. The Default Domain Policy lives here and sets baseline password and account lockout policies.
↓ applied last, highest priority (without enforcement)
OU
4. OU GPO
Applied last — highest priority by default. Linked to an Organizational Unit (e.g., Sales OU, IT OU). Nested OUs inherit from parent OUs. The most specific OU wins. This is where most role-specific policies are applied.
🎯 LSDOU — The Most Tested GPO Fact
Local → Site → Domain → OU — memorise this order. The A+ and Security+ both test it directly. Remember: later = higher priority. An OU policy overrides a Domain policy on the same setting. If two GPOs at the same level conflict, the one with the lower link order number (higher priority in GPMC) wins.
The exam may also ask: which GPO wins when there's a conflict? The answer is always the one that applies last in the LSDOU order — unless Enforcement is set, which inverts this.
Inheritance, Blocking, and Enforcement
| Feature | What It Does | Who Can Set It |
|---|---|---|
| Inheritance | GPOs linked to a parent OU automatically apply to all child OUs below it. A policy linked to the domain flows down to all OUs unless blocked. | Default behaviour — no configuration needed |
| Block Inheritance | An OU administrator can block GPOs from flowing down from parent OUs. Useful when a department needs different settings from the rest of the domain. | OU admins (set on the OU) |
| Enforcement (No Override) | A domain admin can mark a GPO as Enforced — it cannot be blocked by child OUs and takes priority over all conflicting policies below it. Overrides Block Inheritance. | Domain admins (set on the GPO link) |
| Security Filtering | By default, a GPO applies to "Authenticated Users" (everyone). Security filtering restricts the GPO to specific users, computers, or groups — only they receive the policy. | Admins with GPO edit rights |
| WMI Filtering | Applies a GPO only to computers matching a WMI query (e.g., only Windows 11 machines, only machines with more than 8 GB RAM). More granular than security filtering. | Domain admins |
| Loopback Processing | Normally, user settings follow the user. Loopback processing makes the computer's OU-linked GPOs apply to all users who log into that computer — useful for kiosks and shared computers. | Computer Configuration → Group Policy settings |
🎯 Enforcement vs Block Inheritance
Block Inheritance is set on an OU — it prevents GPOs from parent levels flowing in. Enforcement is set on a GPO link — it forces the GPO through even if an OU has Block Inheritance enabled. Enforcement always wins. A domain admin using Enforcement can guarantee a policy applies everywhere, regardless of OU-level blocking.
Common Security Policies Configured via GPO
| Policy Area | Common Settings | GPO Path |
|---|---|---|
| Password Policy | Minimum length (8+ chars), complexity requirements, maximum age (90 days), history (remember last 24) | Computer Config → Policies → Windows Settings → Security Settings → Account Policies → Password Policy |
| Account Lockout | Lockout threshold (5 invalid attempts), lockout duration (30 min), observation window | Computer Config → … → Account Policies → Account Lockout Policy |
| Audit Policy | Log successful/failed logons, object access, privilege use — feeds into Event Viewer and SIEM | Computer Config → … → Local Policies → Audit Policy |
| User Rights Assignment | Who can log on locally, who can shut down the system, who can manage audit logs | Computer Config → … → Local Policies → User Rights Assignment |
| Windows Firewall | Enable/disable firewall profiles, create inbound/outbound rules, block specific ports | Computer Config → Policies → Windows Settings → Security Settings → Windows Firewall |
| Software Restriction / AppLocker | Whitelist or blacklist applications by path, hash, publisher, or zone | Computer Config → … → Application Control Policies → AppLocker |
| BitLocker | Require BitLocker on OS drives, set encryption method, configure TPM requirements | Computer Config → Administrative Templates → Windows Components → BitLocker |
| Drive Mapping | Map network drives (e.g., H: → \\fileserver\home\%username%) at logon | User Config → Preferences → Windows Settings → Drive Maps |
| Folder Redirection | Redirect Desktop, Documents, Downloads to a network share — keeps user data on server, not local disk | User Config → Policies → Windows Settings → Folder Redirection |
| Restrict Control Panel | Prevent standard users from accessing Control Panel or specific applets | User Config → Administrative Templates → Control Panel |
GPO Commands — gpupdate and gpresult
GPOs are normally applied at startup (Computer Configuration) and logon (User Configuration), then refreshed every 90 minutes (± 30 minutes random offset) in the background. To force an immediate refresh without rebooting or logging off:
Windows Command Prompt / PowerShell
gpupdate /force ← refresh all GPOs immediately (Computer + User)
gpupdate /target:computer ← refresh computer policies only
gpupdate /target:user ← refresh user policies only
gpresult /r ← show which GPOs applied to current user and computer
gpresult /h report.html ← generate full HTML report of applied GPOs
gpresult /scope computer /v ← verbose computer policy results
RSoP — Resultant Set of Policy
When multiple GPOs apply to a user or computer, the final merged result is the Resultant Set of Policy (RSoP). This is what the machine actually enforces after all inheritance, filtering, and conflicts are resolved. You can view the RSoP using gpresult /r, the RSoP snap-in (rsop.msc), or the Group Policy Results wizard in GPMC. RSoP is the primary troubleshooting tool when a user says "the policy isn't applying."
Default Domain Policy vs Default Domain Controllers Policy
| GPO | Linked To | Purpose | Should You Edit It? |
|---|---|---|---|
| Default Domain Policy | Domain root | Sets baseline password policy, account lockout policy, and Kerberos settings for all domain users and computers. Best practice: only edit password/lockout/Kerberos settings here. | Only for password/lockout/Kerberos — create new GPOs for everything else |
| Default Domain Controllers Policy | Domain Controllers OU | Applies to all domain controller computers. Sets security settings specific to DCs — audit policies, user rights, security options. Applies only to DC machines. | Sparingly — create new GPOs for DC-specific settings |
Exam Scenarios
💬 "An administrator needs to enforce a password policy requiring a minimum of 12 characters and complexity for all users in the domain. Where should this GPO be configured?" → The Default Domain Policy, linked to the domain root — password policies must be configured at the domain level to apply to all domain user accounts. Password policy settings in OUs below the domain level do not affect domain account passwords (they only affect local accounts). The setting path is Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy.
💬 "A GPO is linked to the domain and configured to set the desktop wallpaper. An administrator in the Sales OU applies Block Inheritance to prevent domain policies from flowing in. A domain admin then sets the wallpaper GPO as Enforced. What wallpaper do Sales users see?" → The enforced domain GPO wallpaper — Enforcement overrides Block Inheritance. Once a GPO link is marked as Enforced, it cannot be blocked by any child OU. Domain admins use Enforcement to guarantee critical policies (like security baselines) apply everywhere regardless of OU-level blocking.
💬 "A technician applies a new GPO to the IT OU but users in the OU are not receiving the settings after logging off and back on. What command should the technician run to force the policy to apply immediately and confirm it is being received?" → gpupdate /force — this triggers an immediate refresh of all GPOs without waiting for the background refresh interval. Follow up with gpresult /r to see which GPOs are listed as applied and confirm the new GPO appears in the output. If it doesn't, check the GPO link, security filtering, and whether the OU is correct.
💬 "A company needs to prevent users in the Finance OU from accessing Control Panel while users in other OUs retain access. What is the correct approach?" → Create a new GPO that restricts Control Panel access (User Config → Administrative Templates → Control Panel → Prohibit access to Control Panel and PC Settings → Enabled), and link it only to the Finance OU. Do not link it at the domain level. Security filtering can further restrict it to specific groups within the OU if needed.
💬 "An administrator wants a GPO to apply only to Windows 11 computers, not Windows 10 computers, even though both are in the same OU. What should they configure?" → WMI filtering — create a WMI filter that queries for Windows 11 (Win32_OperatingSystem where Version >= "10.0.22000") and attach it to the GPO. The GPO will only apply on machines where the WMI query returns true. Security filtering alone cannot target by OS version — WMI filtering is the correct tool.
💬 "A user reports that they cannot access a mapped network drive (H:) on a new computer in a different office. The drive maps are configured via GPO. What should the technician check first?" → GPO scope and OU placement — confirm the new computer's user account is in an OU where the drive mapping GPO is linked, or that the user is in a security group included in the GPO's security filtering. Also verify with gpresult /r that the drive mapping GPO appears in the applied policy list for that user. If the computer is in a different site, check whether site-based GPOs are interfering.
Studying for the CompTIA A+?
See the best courses, practice exams, and study guides for 220-1201 and 220-1202.