One of the strengths of Windows- based operating systems is their flexibility. End users and system administrators can configure many different options to suit the network environment and their personal tastes. However, this flexibility comes at a price— generally, end users on a network should not change many of these options. For example, TCP/IP configuration and security policies should remain consistent for all client computers. In fact, end users don’t need to be able to change these types of settings in the first place because many of them do not understand the purpose of these settings.
Windows Server 2022 Group Policies are designed to provide system administrators with the ability to customize end- user settings and to place restrictions on the types of actions that users can perform. Group Policies can be easily created by system administrators and then later applied to one or more users or computers within the environment. Although they ultimately do affect Registry settings, it is much easier to configure and apply settings through the use of Group Policy than it is to make changes to the Registry manually. To make management easy, Microsoft has set up Windows Server 2022 so that Group Policy settings are all managed from within the Microsoft Management Console (MMC) in the Group Policy Management Console (GPMC).
Group Policies have several potential uses. I’ll cover the use of Group Policies for software deployment, and I’ll also focus on the technical background of Group Policies and how they apply to general configuration management.
Let’s begin by looking at how Group Policies function.
Understanding Group Policy Settings
Group Policy settings are based on Group Policy administrative templates. These templates provide a list of user- friendly configuration options and specify the system settings to which they apply. For example, an option for a user or computer that reads Require A Specific Desktop Wallpaper Setting would map to a key in the Registry that maintains this value. When the option is set, the appropriate change is made in the Registry of the affected users and computers.
By default, Windows Server 2022 comes with several administrative template files that you can use to manage common settings. Additionally, system administrators and application developers can create their own administrative template files to set options for specific functionality.
Most Group Policy items have three different settings options (see Figure 8.1):
Enabled Specifies that a setting for this GPO has been configured. Some settings require values or options to be set.
Disabled Specifies that this option is disabled for client computers. Note that disabling an option is a setting. That is, it specifies that the system administrator wants to disallow certain functionality.
Not Configured Specifies that these settings have been neither enabled nor disabled. Not Configured is the default option for most settings. It simply states that this group policy will not specify an option and that other policy settings may take precedence.
FIGURE 8.1 Group Policy configuration settings

The specific options available (and their effects) will depend on the setting. Often, you will need additional information. For example, when setting the Account Lockout policy, you must specify how many bad login attempts may be made before the account is locked out. With this in mind, let’s look at the types of user and computer settings that can be managed.
Group Policy settings can apply to two types of Active Directory objects: User objects and Computer objects. Because both users and computers can be placed into groups and organized within OUs, this type of configuration simplifies the management of hundreds, or even thousands, of computers.
The main options you can configure within user and computer Group Policies are as follows:
Software Settings The Software Settings options apply to specific applications and software that might be installed on the computer. You can use these settings to make new applications available to end users and to control the default configuration for these applications.
Windows Settings The Windows Settings options allow you to customize the behavior of the Windows operating system. The specific options that are available here are divided into two types: user and computer. User- specific settings let you configure your Internet browser (including the default home page and other settings). Computer settings include security options, such as Account Policy and Event Log options.
Administrative Templates Administrative templates are used to configure user and computer settings further. In addition to the default options available, you can create your own administrative templates with custom options.
Group Policy Preferences The Windows Server 2022 operating system includes Group Policy preferences (GPPs), which give you more than 20 Group Policy extensions.
These extensions, in turn, give you a vast range of configurable settings within a Group Policy Object. Included in the Group Policy preference extensions are settings for folder options, mapped drives, printers, the Registry, local users and groups, scheduled tasks, services, and the Start Menu.
Besides providing easier management, Group Policy preferences give you the ability to deploy settings for client computers without restricting the users from changing the settings. This gives you the flexibility needed to decide which settings to enforce and which not to enforce.
Figure 8.2 shows some of the options you can configure with Group Policy.

ADMX Central Store Another consideration in GPO settings is whether to set up an ADMX Central Store. GPO administrative template files are saved as ADMX (with the file extension .admx) files and AMXL (with the file extension .amxl) for the supported languages. To get the most benefit out of using administrative templates, you should create an ADMX Central Store.
You create the Central Store in the SYSVOL folder on a domain controller. The Central Store is a repository for all your administrative templates, and the Group Policy tools check it. The Group Policy tools then use any ADMX files that they find in the Central Store. These files then replicate to all domain controllers in the domain.
If you want your clients to be able to edit domain- based GPOs by using the ADMX files that are stored in the ADMX Central Store, you must be using Windows 7 or above and Server 2008 or above.
Security Template Security templates are used to configure security settings through a GPO. Some of the security settings that can be configured are settings for account policies, local policies, event logs, restricted groups, system services, and the Registry.
Starter GPOs Starter Group Policy Objects give you the ability to store a collection of administrative template policy settings in a single object. You can then import and export starter GPOs to distribute the GPOs easily to other environments. When a GPO is created from a starter GPO, as with any template, the new GPO receives the settings and values that were defined from the administrative template policy in the starter GPO.