Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Deny Log On Through Remote Desktop Services
Explicitly prevents specified accounts from connecting via RDP.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Manage Auditing and Security Log
Allows managing audit policy and viewing the security event log.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Log On Locally
Controls which accounts can log on interactively at the console.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Act as Part of the Operating System
Extremely powerful right that allows a process to impersonate any user. Should be empty.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Shut Down the System
Controls which accounts can shut down the system.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts
Prevents anonymous users from enumerating SAM account names.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Debug Programs
Allows attaching a debugger to any process. Can be used to dump LSASS credentials.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts and Shares
Prevents anonymous enumeration of both SAM accounts and network shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →User Account Control: Run All Administrators in Admin Approval Mode
Core UAC setting. Disabling this effectively turns off UAC for all admin accounts.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Access to This Computer from the Network
Prevents specified accounts from connecting to this computer over the network.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Generate Security Audits
Allows a process to generate audit entries in the security log.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Interactive Logon: Message Text for Users Attempting to Log On
Displays a legal notice before logon. Recommended for compliance.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Interactive Logon: Do Not Display Last User Name
Prevents the last logged-on username from being displayed at the logon screen.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Accounts: Rename Administrator Account
Rename the built-in Administrator account to reduce targeted attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →User Account Control: Behavior of the Elevation Prompt for Administrators
Controls UAC behavior for admin accounts. Value 2 requires credentials at each elevation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Security: LAN Manager Authentication Level
Controls which challenge/response authentication protocol is used. Value 5 enforces NTLMv2 and rejects weaker protocols.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Turn On Real-Time Protection
Ensures real-time scanning is always active.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-Time Protection
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Accounts: Guest Account Status
The built-in Guest account should always remain disabled.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →User Account Control: Virtualize File and Registry Write Failures
Redirects legacy app write failures to per-user locations. Required for UAC compatibility.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Shutdown: Allow System to Be Shut Down Without Having to Log On
Controls whether the shutdown button appears on the logon screen.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Configure Controlled Folder Access
Ransomware protection - prevents unauthorized apps from modifying protected folders.
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Security: Restrict NTLM: Outgoing NTLM Traffic to Remote Servers
Prevents this machine from sending NTLM authentication to remote servers. Reduces NTLM relay attack exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Security: Restrict NTLM: NTLM Authentication in This Domain
Controls NTLM authentication within the domain. Moving to Deny blocks legacy NTLM entirely.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →