Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Audit Security Group Management
Audits security group creation, modification, and deletion.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Credential Validation
Audits NTLM credential validation. More granular than legacy audit policy.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Kerberos Authentication Service
Audits Kerberos TGT requests. Generates events 4768, 4771.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Kerberos Service Ticket Operations
Audits Kerberos service ticket requests. Detects Kerberoasting attacks. Generates event 4769.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Other Object Access Events
Audits scheduled task creation, COM+ object access, and other object events.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Process Creation
Audits new process creation including command line arguments. Generates event 4688.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Detailed Tracking
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Special Logon
Audits logons with admin-equivalent privileges. Generates event 4964.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Logon/Logoff
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Logon
Audits logon and logoff events. More granular than legacy logon auditing.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Logon/Logoff
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Include Command Line in Process Creation Events
Includes full command line arguments in event 4688. Critical for detecting malicious command execution.
Computer Configuration > Administrative Templates > System > Audit Process Creation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit User Account Management
Audits user account changes including password resets and account enables/disables.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Removable Storage
Audits access to removable storage devices such as USB drives. Generates event 4663.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →