100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Windows

Common GPO Settings

A tour of the most frequently configured Group Policy settings for security baselines, password policy, software restriction, and administrative templates.

Group PolicyIntermediate10 min readJul 10, 2026
Analogies

Security Settings and Password Policy

Under Computer Configuration > Policies > Windows Settings > Security Settings, administrators configure the domain's Account Policies (Password Policy, Account Lockout Policy, Kerberos Policy) and Local Policies (Audit Policy, User Rights Assignment, Security Options). A critical rule is that Password Policy and Account Lockout Policy only take effect domain-wide when set in a GPO linked at the domain root; setting them in an OU-linked GPO only affects local accounts on the computers in that OU, not domain user accounts, because the domain controllers themselves determine domain account password rules from the domain-linked GPO. Fine-Grained Password Policies, applied via Password Settings Objects (PSOs) rather than GPOs, are the supported way to give specific groups (like Domain Admins) a stricter password policy than the rest of the domain.

🏏

Cricket analogy: Domain-wide password policy is like an ICC regulation on bat dimensions that applies to every national team, while a local OU-linked equivalent is like one club changing its own practice-net rules — it doesn't touch how international matches are officiated.

Administrative Templates and ADMX Files

Administrative Templates are registry-based policy settings displayed under Policies > Administrative Templates in the Group Policy Management Editor, sourced from ADMX (language-neutral) and ADML (language-specific) files rather than the older ADM format. These cover thousands of settings across Windows components, Control Panel, Network, and installed applications like Microsoft Edge or Office, letting administrators enable, disable, or leave a setting Not Configured. Best practice is to set up a Central Store — a shared SYSVOL folder at \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions — so every admin's GPMC pulls ADMX templates from one authoritative, version-controlled location instead of each admin's local %SystemRoot%\PolicyDefinitions copy, which can drift out of sync across different admin workstations.

🏏

Cricket analogy: Administrative Templates are like the standardized rulebook categories (fielding restrictions, powerplay overs, DRS reviews) that every umpire references, and the Central Store is like the ICC's single official rulebook edition every match official must consult instead of their own personal copy.

Software Restriction and AppLocker

For controlling which executables, scripts, and installers users can run, administrators use either legacy Software Restriction Policies (SRP) or the more modern AppLocker, both configured through GPO under Windows Settings > Security Settings. AppLocker supports rule types for executables, Windows Installer packages, scripts, DLLs, and packaged apps, with each rule type defaulting to an Allow rule for administrators and a Deny for everyone else once any rule is created in that collection, so enabling AppLocker for a rule type without a broad default Allow rule can accidentally block legitimate Windows components. Rules can be based on file path, file hash, or publisher certificate, with publisher-based rules being the most maintainable since they survive application updates without needing new hashes.

🏏

Cricket analogy: AppLocker's publisher-based rules are like a stadium admitting any player wearing an officially certified team jersey regardless of which specific jersey batch was printed, more durable than checking each individual jersey's serial number (a hash-based rule).

powershell
# Set domain-wide password policy in a GPO linked at the domain root
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -ValueName "RefusePasswordChange" -Type DWord -Value 0

# Query effective minimum password length for verification
Get-ADDefaultDomainPasswordPolicy | Select-Object MinPasswordLength, LockoutThreshold, ComplexityEnabled

# Create a Fine-Grained Password Policy for Domain Admins
New-ADFineGrainedPasswordPolicy -Name "DA-Strict-Policy" -Precedence 10 `
  -MinPasswordLength 16 -ComplexityEnabled $true -MaxPasswordAge "30.00:00:00"
Add-ADFineGrainedPasswordPolicySubject -Identity "DA-Strict-Policy" -Subjects "Domain Admins"

Fine-Grained Password Policies (FGPP), introduced in Windows Server 2008, are applied via Password Settings Objects and Active Directory's msDS-PasswordSettingsPrecedence attribute rather than through GPO linking, which is why they can give a security group like Domain Admins a stricter password policy without needing a separate OU structure.

Enabling AppLocker's executable rule collection with only a narrow set of custom rules — and no default 'Allow Everyone to run files in Program Files and Windows' rule — will block core Windows processes from running, potentially making the machine unusable at next logon. Always start with the built-in default rules before layering custom restrictions.

  • Domain-wide Password Policy and Account Lockout Policy must be set in a GPO linked at the domain root to affect domain accounts.
  • Fine-Grained Password Policies use Password Settings Objects, not GPOs, to give specific groups stricter password rules.
  • Administrative Templates are sourced from ADMX/ADML files; a Central Store keeps them consistent across all admin workstations.
  • AppLocker rule types (executable, installer, script, DLL, packaged app) each need default Allow rules to avoid breaking core Windows components.
  • Publisher-based AppLocker rules are more maintainable than hash-based rules because they survive application updates.
  • Get-ADDefaultDomainPasswordPolicy and New-ADFineGrainedPasswordPolicy are key cmdlets for verifying and creating password policy.

Practice what you learned

Was this page helpful?

Topics covered

#Windows#WindowsServerActiveDirectoryStudyNotes#MicrosoftTechnologies#CommonGPOSettings#Common#GPO#Settings#Security#StudyNotes#SkillVeris