Group Policy is a feature built into Windows Server and Professional/Enterprise editions that lets administrators apply configuration rules to groups of computers and user accounts simultaneously. Rather than visiting each machine individually, you define policies once and deploy them across your entire network infrastructure.
Policies cover a vast range of settings including:
- Security restrictions (password requirements, account lockout rules, firewall settings)
- Software deployment and updates
- Device access controls (USB ports, camera, microphone)
- Application behaviour (default browser, allowed programs)
- User desktop and start menu customisations
- Network and printing configurations
Group Policy operates through a hierarchical structure called Organisational Units (OUs). You can create different policies for departments, office locations, or job roles. A user's effective policy combines settings from multiple levels: Local, Site, Domain, and OU policies apply in that order, with later settings overriding earlier ones.
The Group Policy Editor (gpedit.msc) lets you view and modify policies on individual machines, whilst Group Policy Management Console (GPMC) handles network-wide deployment. Policies refresh periodically, usually every 90 minutes, though you can force immediate updates.
Common gotchas include policy conflicts when multiple OUs apply to the same user, loopback processing confusion where computer and user policies intersect, and troubleshooting permission issues when policies fail to apply. Changes sometimes require restarts to take effect fully.
Understanding Group Policy becomes essential when you need consistent security baselines, software licensing compliance, or device management across an organisation. It's particularly valuable for preventing users from disabling antivirus tools or installing unauthorised software.