Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Group Policy Object

Training Camp • Cybersecurity Glossary

What is Group Policy Object?

A collection of Active Directory settings (a GPO) that centrally enforce security, configuration, and user-rights policies across Windows domain computers and users.

Glossary > Identity & Access Management > Group Policy Object

Group Policy Object — A collection of Active Directory settings (a GPO) that centrally enforce security

Understanding Group Policy Object

A Group Policy Object (GPO) is a collection of configuration settings in Microsoft Active Directory that defines the behavior of users and computers across a Windows domain. Administrators use GPOs to centrally enforce security policies, manage user rights, control system settings, deploy software, and standardize configurations on many machines at once.

GPOs are linked to Active Directory containers—sites, domains, or organizational units—and apply to the users and computers within them. Processing follows the LSDOU order (local, site, domain, OU), with later policies overriding earlier ones unless enforcement or block-inheritance is set. Settings cover the Computer Configuration and User Configuration nodes, including security options, registry-based administrative templates, scripts, and software installation. Clients refresh policy at startup or logon and roughly every 90 minutes, retrieving GPO files from the domain controllers' SYSVOL share.

Group Policy is a backbone of Windows security hardening. Through GPOs, organizations enforce password and account-lockout policies, restrict local administrator rights, configure firewall and BitLocker settings, control USB and application execution, and apply CIS or DISA STIG baselines consistently. Because GPOs are so powerful, they are also a prime attack target: an adversary who gains rights to edit a widely linked GPO can push malicious scripts or scheduled tasks to thousands of endpoints, so change control and least privilege over GPO editing are essential.

For example, an administrator creates a GPO that disables LM and NTLMv1 authentication, enforces a 14-character minimum password, blocks unsigned PowerShell scripts, and deploys the corporate antivirus agent. Linking it to the Workstations organizational unit applies the baseline to every desktop in that OU automatically. When a new PC joins the domain and lands in that OU, it inherits the full security configuration at its next policy refresh without any manual setup.

Learn More About Group Policy Object:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →