GPO
GPO (Group Policy Object) is a Windows configuration object used to centrally manage operating system, application, and user settings in Active Directory environments. GPOs enforce security policies, install software, and configure system parameters across thousands of devices.
What is GPO (Group Policy Object)?
GPO (Group Policy Object) is a Windows configuration object used to centrally manage operating system, application, and user settings in Active Directory environments. GPOs allow administrators to enforce security policies, install software, map drives, configure registry settings, and control thousands of endpoints from a single console.
GPO meaning in 30 seconds
- What it does: defines configuration and security settings for Windows devices and users
- Where it runs: Active Directory (Domain GPOs) or locally (LGPO)
- Who manages: Domain Admins, via Group Policy Management Console (GPMC)
- When it applies: at boot (computer policies) and logon (user policies), refreshed every 90min + random 30min offset
- Primary risk: compromised GPO can deploy malware domain-wide
GPO types and scope
| Type | Scope | Example |
|---|---|---|
| Local GPO (LGPO) | Single machine | Standalone workstation, servers outside AD |
| Domain GPO (DGPO) | AD domain | Enforce password policy on all users |
| Starter GPO | Template for new GPOs | Security baselines |
| Preferences | Soft configuration | Map drives, set environment variables |
GPO precedence — LSDOU order
GPOs apply in the following order (last-writer wins):
- Local GPO
- Site-linked GPO
- Domain-linked GPO
- OU-linked GPO (nested OUs apply from top to bottom)
Modifiers: Enforced flag overrides child blocking, Block Inheritance stops parent GPOs, Security Filtering limits GPO to specific users/groups.
Common security attacks on GPOs
SYSVOL cpassword attack
Legacy Group Policy Preferences stored encrypted passwords in SYSVOL (groups.xml, scheduledtasks.xml, services.xml). The encryption key is published by Microsoft — Get-GPPPassword recovers cleartext. Defense: audit SYSVOL for cpassword references, remove legacy preferences, apply MS14-025 patch.
GPO modification attack Compromised Domain Admin can modify any GPO — pushing scheduled tasks, startup scripts, firewall rules, or software installation packages to the entire domain. Defense:
- Delegate GPO editing to specific groups (not Domain Admins)
- Monitor Event IDs 5136 (directory service changes) and 5137 (object creation)
- Use Privileged Access Workstations (PAW) for GPO administration
- Advanced Audit Policy: “Audit Other Account Management Events”
GPO linking abuse
Attacker with GPO creation rights links malicious GPO to high-value OU. Defense: restrict GpoLink permission, monitor Event ID 5136 with attribute gPLink.
GPO-based Active Directory hardening
Key hardening settings to deploy via GPO:
-
Authentication
- Disable NTLM (restrict to legacy apps only)
- Require Kerberos-only
- Enable LSA Protection (RunAsPPL)
-
Password policy (NIST SP 800-63B aligned)
- Minimum length: 14 chars
- No forced rotation (remove complexity requirement)
- Enable banned password list
-
Endpoint protection
- AppLocker / WDAC for application whitelisting
- Credential Guard enabled
- LSASS as Protected Process Light
-
Network security
- Disable SMBv1
- Enable SMB signing (required)
- Windows Defender Firewall enforced via GPO
-
Disk encryption
- BitLocker with TPM
- BitLocker recovery key in AD
Starting point: Microsoft Security Baselines or CIS Benchmarks via SCM/PolicyAnalyzer.
GPO vs MDM — modern alternative
GPO is effective but legacy — requires domain-joined devices and LAN connectivity for timely updates. Modern alternatives:
- Microsoft Intune / Endpoint Manager — cloud-based MDM, works anywhere, CSP-based (Configuration Service Provider)
- Hybrid Azure AD Join — enables both GPO (AD) and Intune (cloud) simultaneously
- Co-management — gradual migration from GPO to Intune
Trend 2024+: migrating away from GPO to Intune for Windows 11 deployments — especially for remote workers.
Explore our services
Frequently asked questions
+ What is GPO (Group Policy Object)?
GPO (Group Policy Object) is a Windows configuration container used in Active Directory to centrally manage OS, application, and user settings across the domain. Administrators define policies (e.g., password complexity, firewall rules, drive mappings, software installation) and link them to organizational units (OUs), sites, or the entire domain. GPOs apply automatically at boot/logon, enabling centralized control over thousands of devices.
+ What does GPO mean in simple terms?
GPO means Group Policy Object — think of it as a configuration template in Active Directory. Instead of manually setting security rules on each Windows PC, admins define them once in a GPO and link it to users or computers. Windows then applies those settings automatically. It's the primary way IT teams enforce security baselines and standardize configurations in enterprise environments.
+ What is the difference between LGPO and DGPO?
LGPO (Local Group Policy Object) applies to a single machine — every Windows device has one. Useful for standalone systems not joined to AD. DGPO (Domain Group Policy Object) is stored in Active Directory and pushed to multiple devices via domain membership. Precedence order: Local → Site → Domain → OU (last-writer wins), abbreviated LSDOU. Domain GPOs override local ones, allowing centralized override of end-user configurations.
+ How do attackers abuse GPOs?
Common GPO-based attacks: (1) SYSVOL abuse — legacy GPO password storage (cpassword) is AES-decryptable with a published key, enabling credential theft, (2) GPO modification — compromised Domain Admin can push malicious scheduled tasks, startup scripts, or firewall rules to entire domain, (3) GPO inheritance manipulation — linking malicious GPOs to OUs to trigger execution. Defenses: restrict GPO editing via delegated permissions, monitor Event ID 5136/5137 for GPO changes, use advanced audit policy.
+ How to harden Active Directory with GPOs?
Key GPO-based AD hardening: (1) enforce Kerberos-only authentication, disable NTLM where possible, (2) configure AppLocker / WDAC to allow only signed executables, (3) enable Credential Guard and LSASS protection, (4) set password policy: 14+ chars, no expiration (NIST SP 800-63B), (5) disable SMBv1, enable SMB signing, (6) configure Windows Firewall rules via GPO (no local firewall disable), (7) enable BitLocker with TPM, (8) apply CIS Benchmarks or Microsoft Security Baselines as starting point.