This chapter covers Group Policy, a core technology for centrally managing user and computer settings in Windows domains. For the CompTIA A+ 220-1102 exam, understanding Group Policy is essential for troubleshooting configuration issues and verifying settings. Approximately 5-10% of exam questions touch on Group Policy concepts, especially in the context of Windows configuration and security. You will learn how GPOs work, how they are applied, and how to identify common problems.
Jump to a section
Imagine a large company with thousands of employees. The HR department issues a policy book that dictates everything: what software employees can install, what desktop wallpaper they must use, which network drives they can access, and even password complexity rules. This policy book is stored in a central repository (the HR server). When an employee logs into their computer, their machine automatically checks the central repository for the latest policy book and applies the rules. However, not all employees get the same policy book. The HR department can create different versions for different departments (Accounting, Engineering, Sales) and even for specific employees (managers, interns). The policy book is applied in a specific order: first, the company-wide rules; then, department-specific rules override them; finally, any employee-specific rules override those. If there is a conflict (e.g., Accounting says wallpaper must be blue, but Engineering says green), the most specific rule wins. This is exactly how Group Policy works: Active Directory stores Group Policy Objects (GPOs) that contain settings. When a computer starts or a user logs on, it downloads and applies the relevant GPOs in a specific order: Local, Site, Domain, Organizational Unit (OU), with later policies overriding earlier ones. The result is a consistent, centrally managed configuration across thousands of Windows machines.
What is Group Policy and Why Does It Exist?
Group Policy is a feature of Microsoft Active Directory that allows administrators to define and enforce settings for users and computers across an organization. Without Group Policy, an administrator would have to manually configure each computer—a nightmare for even a medium-sized business. Group Policy ensures consistency, security, and compliance by automatically applying settings such as password policies, software restrictions, desktop configurations, and network drive mappings.
How Group Policy Works Internally
Group Policy works through Group Policy Objects (GPOs). A GPO is a collection of settings stored in two locations: the Group Policy Container (GPC) in Active Directory, and the Group Policy Template (GPT) in the SYSVOL folder on domain controllers. The GPC contains metadata like version numbers and links, while the GPT contains the actual policy files (e.g., Registry.pol for registry-based policies).
When a computer starts or a user logs on, the following process occurs:
Discovery: The client computer contacts a domain controller (DC) to discover which GPOs apply. It does this by querying Active Directory for the gPLink and gPOptions attributes of the site, domain, and OU that the computer or user belongs to.
Download: The client downloads the GPT files from the SYSVOL share on the DC. The path is typically \\<domain>\SYSVOL\<domain>\Policies\<GPO-GUID>\.
Processing: The client processes the GPOs in a specific order: Local, Site, Domain, then OU (from parent to child). This is often remembered as LSDOU (Local, Site, Domain, Organizational Unit). For user policies applied during logon, the user's OU path is used.
Application: The client applies the settings, which may modify the registry, set security permissions, install software, run scripts, etc.
Refresh: Group Policy is also refreshed periodically in the background (every 90-120 minutes by default, with a random offset of 0-30 minutes). Security settings are refreshed every 16 hours, but can be forced with gpupdate /force.
Key Components, Values, and Defaults
Group Policy Object (GPO): A container of policy settings. Each GPO has a unique GUID.
Local Group Policy Object (LGPO): Exists on each Windows computer (even non-domain-joined). Stored in %SystemRoot%\System32\GroupPolicy. It is processed first.
Default Domain Policy: A GPO linked to the domain that contains default settings like password policy (e.g., minimum password length 7 characters, password history 24 passwords remembered).
Default Domain Controllers Policy: A GPO linked to the Domain Controllers OU that sets security settings for DCs.
Processing Order: LSDOU – Local, Site, Domain, OU. When GPOs conflict, the last applied GPO wins (except for settings that are enforced or blocked).
Enforced (No Override): A GPO can be set to Enforced, meaning it will always apply even if a child OU has a conflicting setting. Enforced GPOs are processed last.
Block Inheritance: An OU can be set to Block Inheritance, preventing GPOs from parent containers from applying. However, Enforced GPOs still apply.
Security Filtering: By default, GPOs apply to Authenticated Users. Administrators can filter by security groups (e.g., apply only to the Sales group) by modifying the Security Filtering settings.
WMI Filtering: GPOs can be filtered based on WMI queries (e.g., apply only if OS is Windows 10).
Loopback Processing: Used for special-purpose computers like kiosks or lab machines. When enabled, the computer's GPOs replace or merge with the user's GPOs.
Configuration and Verification Commands
Group Policy Management Console (GPMC): The primary tool for managing GPOs. Install via gpmc.msc or from Server Manager.
gpupdate: Forces a Group Policy refresh. gpupdate /force forces all policies to be reapplied. gpupdate /target:computer or /target:user targets specific policies.
gpresult: Displays the Resultant Set of Policy (RSoP) for a user or computer. Use gpresult /r for a summary, gpresult /h report.html for an HTML report.
rsop.msc: The Resultant Set of Policy snap-in, which shows the applied policies in a graphical interface.
Local Group Policy Editor (gpedit.msc): Used to edit Local Group Policy on a single computer.
How Group Policy Interacts with Related Technologies
Active Directory: GPOs are linked to AD containers (sites, domains, OUs). Without AD, only Local Group Policy is available.
SYSVOL: The GPT files are stored in SYSVOL, which is replicated among domain controllers using DFS-R (or FRS in older domains).
Security Groups: Used for security filtering. GPOs apply only to users/computers that are members of the specified security group and have Read permission on the GPO.
Group Policy Preferences: An extension of Group Policy that provides more settings (e.g., drive maps, printers, scheduled tasks) but are not enforced; users can change them. Preferences are applied only once unless configured otherwise.
Administrative Templates (.admx files): Define registry-based policy settings. They are stored in the Central Store (SYSVOL\<domain>\Policies\PolicyDefinitions) for centralized management.
Common Troubleshooting Steps
Verify connectivity: Ensure the client can reach the domain controller and SYSVOL share.
Check event logs: Look for Group Policy errors in Event Viewer under Applications and Services Logs > Microsoft > Windows > GroupPolicy.
Use gpresult: Determine which GPOs are applied and which are filtered out.
Check permissions: Ensure the computer and user accounts have Read access to the GPO.
Replication issues: Verify SYSVOL replication is healthy using dfsradmin or repadmin.
Corrupt GPO: A GPO may be corrupt; recreate it or restore from backup.
Important Exam Numbers and Values
Default refresh interval: 90 minutes (plus random offset 0-30 minutes).
Security policy refresh interval: 16 hours.
gpupdate /force: Forces immediate refresh.
Processing order: LSDOU.
Local GPO stored in: %SystemRoot%\System32\GroupPolicy.
Default Domain Policy: Linked to the domain, contains default password and account lockout settings.
Enforced GPOs override Block Inheritance.
Security Filtering default: Authenticated Users.
Identify the GPOs to Apply
When a Windows computer starts or a user logs on, the Group Policy client service (GPSvc) contacts a domain controller to determine which GPOs apply. It reads the Active Directory attributes of the computer object and user object, including the `gPLink` attribute of the site, domain, and each OU in the hierarchy. The client then builds a list of GPOs ordered by their link order. For example, a computer in the Sales OU under the Company domain will get GPOs from the Company domain (Default Domain Policy) and the Sales OU. If the Sales OU has Block Inheritance enabled, only the Sales OU GPOs and any Enforced GPOs from parent containers will apply.
Download GPO Data from SYSVOL
The client downloads the Group Policy Template (GPT) files from the SYSVOL share on the domain controller. The GPT includes policy files such as Registry.pol (for registry settings), scripts (startup/shutdown, logon/logoff), and security template files. The client checks the version number stored in the Group Policy Container (GPC) in AD. If the version hasn't changed since the last application, the client may skip the download to save bandwidth. The download uses SMB protocol. If the domain controller is unavailable, the client may fail to apply domain-based GPOs and fall back to local policy.
Process GPOs in Order (LSDOU)
The client processes GPOs in the following order: Local, Site, Domain, Organizational Unit (from parent to child). For user policies, the user's OU path is used. For computer policies, the computer's OU path is used. If multiple GPOs are linked to the same container, they are processed in the order specified in the Link Order (lowest number first). When a setting is configured in multiple GPOs, the last processed GPO wins, unless a GPO is set to Enforced (which is processed last regardless of link order). This allows fine-grained control: you can set baseline policies at the domain level and override them at the OU level.
Apply Security and WMI Filtering
After determining the list of GPOs, the client evaluates Security Filtering and WMI Filters. Security Filtering checks whether the user or computer is a member of the security group specified in the GPO's Security Filtering list. By default, the group 'Authenticated Users' is included, so all authenticated users and computers get the policy. If the GPO is filtered to a specific group (e.g., 'Sales Users'), only members of that group will have the policy applied. WMI Filters run a WMI query (e.g., 'Select * from Win32_OperatingSystem where Version like "10.%"') and apply the GPO only if the query returns true. If filtering excludes the client, the GPO is skipped.
Apply Settings and Refresh
The client applies the settings from the GPO. Registry-based policies are written to the appropriate registry keys (e.g., HKEY_LOCAL_MACHINE for computer policies, HKEY_CURRENT_USER for user policies). Security policies are applied via the Security Configuration Engine. Software installation policies trigger Windows Installer. Scripts (startup/shutdown, logon/logoff) are executed in the specified order. After initial application, Group Policy refreshes in the background every 90-120 minutes (random offset). Security settings refresh every 16 hours. Administrators can force a refresh with `gpupdate /force`. The client logs results in the Group Policy operational log.
In a typical enterprise with thousands of Windows 10/11 computers, Group Policy is used to enforce security baselines and standardize configurations. For example, a financial services company might use the following:
Password Policy Enforcement: The Default Domain Policy is configured to require a minimum password length of 8 characters, password history of 24, and a maximum password age of 90 days. This ensures all domain users follow the same password policy. When auditors check compliance, they can verify the policy via gpresult /r. A common issue is that an OU-level GPO might override the password policy, weakening security. To prevent this, the Default Domain Policy is set to Enforced.
Software Restriction and AppLocker: An OU for 'Kiosk Computers' has a GPO that enables AppLocker to allow only specific applications (e.g., the kiosk software and Windows components). This prevents users from running unauthorized software. The GPO is security-filtered to the 'Kiosk Computers' group. If a new kiosk is added but not placed in the correct OU, AppLocker won't apply, leaving the machine vulnerable. Administrators use gpresult /h to verify the applied policies.
Drive Mapping and Printer Deployment: Using Group Policy Preferences, the IT department maps network drives (e.g., H: for home directories) and deploys printers based on user location. The GPO is linked to the site or OU. However, preferences are not enforced, so users can disconnect drives. For mission-critical mappings, a Group Policy setting (not preference) should be used. A common misconfiguration is forgetting to set the 'Run in logged-on user's security context' option for drive maps, causing them to fail.
Performance considerations: Large numbers of GPOs (over 100) can slow down logon times. Administrators should minimize GPOs and use security filtering rather than creating many small GPOs. Also, SYSVOL replication must be healthy; if a domain controller fails to replicate, clients may get outdated policies. Tools like repadmin /replsummary help monitor replication health.
The CompTIA A+ 220-1102 exam tests Group Policy under Objective 1.3 (Given a scenario, configure Microsoft Windows settings). While the exam doesn't require deep Active Directory administration, you must understand the following:
What the Exam Tests: - The purpose of Group Policy: central management of user and computer settings. - How to open Local Group Policy Editor (gpedit.msc). - The difference between Local Group Policy and Domain-based Group Policy. - How to force a Group Policy update with gpupdate. - How to view applied policies with gpresult. - The processing order: LSDOU. - The concept of inheritance and enforcement.
Common Wrong Answers: 1. 'Group Policy is only available in domain environments.' This is false because Local Group Policy exists on every Windows computer. The exam may ask about configuring settings on a standalone PC, and the answer is gpedit.msc, not Active Directory. 2. 'gpupdate /force applies policies immediately without a reboot.' While it forces a refresh, some settings (like software installation) may require a reboot. The exam tests that gpupdate is used to refresh policy, not necessarily to apply all changes instantly. 3. 'The Default Domain Policy cannot be modified.' It can be modified, but Microsoft recommends creating new GPOs instead of editing the default ones to avoid issues. 4. 'Group Policy Preferences are enforced and cannot be changed by users.' Preferences are not enforced; users can modify them. The exam distinguishes between Group Policy settings (enforced) and Group Policy Preferences (optional).
Specific Numbers and Terms: - LSDOU (Local, Site, Domain, OU) - gpupdate /force - gpresult /r - gpedit.msc - Default refresh interval: 90 minutes - Security policy refresh: 16 hours
Edge Cases: - Loopback processing: Used for computers where user policy should be based on the computer, not the user (e.g., kiosk). The exam may ask when to use merge vs. replace mode. - Block Inheritance vs. Enforced: A GPO set to Enforced overrides Block Inheritance. This is a classic exam trick. - Slow link detection: If a link is detected as slow (default < 500 Kbps), Group Policy may not apply certain settings like software installation. The exam might ask about slow link behavior.
How to Eliminate Wrong Answers: - If the question involves a standalone computer, eliminate any answer mentioning Active Directory, domain, or GPMC. - If the question asks about immediate application, look for gpupdate, not reboot. - If the question involves conflicting policies, remember that the last applied policy wins unless enforced. - If the question involves security settings, know that they refresh every 16 hours, not 90 minutes.
Group Policy enables central management of user and computer settings in a Windows domain.
Local Group Policy (gpedit.msc) is available on all Windows computers, even non-domain machines.
The processing order for GPOs is LSDOU: Local, Site, Domain, Organizational Unit.
Use gpupdate /force to force an immediate Group Policy refresh from the command line.
Use gpresult /r to display the Resultant Set of Policy (RSoP) for a user or computer.
The default background refresh interval for Group Policy is 90 minutes with a random offset of 0-30 minutes.
Security policy settings refresh every 16 hours by default.
Enforced GPOs override Block Inheritance on child OUs.
Group Policy Preferences are not enforced; users can change them.
The Default Domain Policy contains default password and account lockout policies.
These come up on the exam all the time. Here's how to tell them apart.
Local Group Policy (gpedit.msc)
Available on all Windows computers, even standalone.
Stored locally in %SystemRoot%\System32\GroupPolicy.
Only one set of computer and user policies per machine.
Cannot be centrally managed; must be configured per machine.
No inheritance or filtering; applies to all local users.
Domain-based Group Policy (GPMC)
Requires Active Directory domain environment.
Stored in AD (GPC) and SYSVOL (GPT) on domain controllers.
Multiple GPOs can be linked to sites, domains, and OUs.
Centrally managed via Group Policy Management Console (GPMC).
Supports inheritance, security filtering, WMI filtering, and enforcement.
Mistake
Group Policy only works on domain-joined computers.
Correct
Local Group Policy (gpedit.msc) works on all Windows computers, including standalone ones. Domain-based Group Policy requires Active Directory.
Mistake
gpupdate /force applies all policy changes immediately without any restart.
Correct
While gpupdate /force refreshes policy, some changes (e.g., software installation, folder redirection) may require a restart or logoff to take full effect.
Mistake
The Default Domain Policy is the only GPO that sets password policies.
Correct
Password policies can be set in any GPO linked to the domain, but only one GPO can define password policy per domain (the one that wins). Typically, the Default Domain Policy is used, but it can be overridden.
Mistake
Group Policy Preferences are enforced and cannot be changed by users.
Correct
Group Policy Preferences are not enforced; users can modify the settings after they are applied. Only Group Policy settings (under Administrative Templates) are enforced.
Mistake
Block Inheritance prevents all GPOs from parent containers from applying.
Correct
Block Inheritance does not prevent GPOs that are set to Enforced from applying. Enforced GPOs always apply, even if Block Inheritance is enabled on a child OU.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Run `gpupdate /force` from an elevated command prompt. This forces a refresh of all Group Policy settings. For a targeted refresh, use `/target:computer` or `/target:user`. Note that some settings may require a restart or logoff to take full effect.
Group Policy settings (under Administrative Templates) are enforced and cannot be changed by users. Group Policy Preferences are not enforced; users can modify them after application. Preferences are applied only once unless configured to reapply periodically.
Use `gpresult /r` from an elevated command prompt. This displays the Resultant Set of Policy (RSoP) for the computer and user. For a detailed HTML report, use `gpresult /h report.html`. Alternatively, run `rsop.msc` for a graphical view.
The order is LSDOU: Local, Site, Domain, Organizational Unit (from parent to child). For user policies, the user's OU path is used. The last applied GPO wins unless a GPO is set to Enforced, which is processed last.
Yes. Use Local Group Policy Editor (gpedit.msc) to configure settings on a standalone Windows computer. Domain-based Group Policy requires Active Directory and is not available on standalone machines.
Enforced (also called No Override) ensures that the GPO's settings are applied even if a child OU has Block Inheritance enabled. Enforced GPOs are processed last, so they override conflicting settings from other GPOs.
By default, Group Policy refreshes every 90 minutes with a random offset of 0-30 minutes. Security policy settings refresh every 16 hours. The refresh interval can be configured via Group Policy.
You've just covered Group Policy for A+ — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?