Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Logon message banner text
Defines legal notice displayed at logon. Essential for MSP legal compliance and access policies.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Display logon message banner
Shows banner message before logon. Critical for MSP compliance with legal notice requirements.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Number of previous logons to cache
Limits cached credentials to 1 for offline logon. Reduces credential exposure for MSP mobile users.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Smart card removal behavior
Locks workstation when smart card is removed. Critical for MSPs using smart card authentication.
Computer Configuration > Administrative Templates > Windows Components > Smart Card
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Display verbose status messages during logon
Shows detailed logon messages for troubleshooting. Helps MSP technicians diagnose authentication issues.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Default14
Notifies user 14 days before password expires. Reduces account lockouts from expired credentials in MSP organizations.
Recommended14
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Clear valid logon history
Ensures passwords are not stored in memory. Critical security measure for MSP-managed systems.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable forced logoff when logon hours expire
Disconnects users when logon hours expire. Enforces access control policies for MSP-managed networks.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require domain controller authentication for cached logons
Forces revalidation with domain controller. Prevents replay attacks on cached credentials in MSP networks.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic restart after logon
Prevents automatic logon after system restart. Ensures manual authentication for security-sensitive MSP environments.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Configure encryption types allowed for Kerberos
Specifies encryption types for Kerberos. Value 2147483644 enables strong ciphers only (AES). MSPs use this to eliminate DES/RC4 weak encryption.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: NTLM SSP Security: Require NTLMv2 session security
Forces servers to require NTLMv2 session security. Value 537133056 requires both NTLMv2 and encryption. Critical for MSPs enforcing authentication baseline across client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →RPC: Enable RPC over TCP/IP
Controls RPC over TCP/IP. MSPs may restrict this on highly secured networks, but most modern systems require it for services like WMI and WinRM.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Controls outgoing NTLM usage on the computer. Setting to 2 blocks NTLM for remote connections. Essential for MSPs preventing clients from authenticating to NTLM-only systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: NTLM SSP Security: Minimum session security
Enforces 128-bit encryption and NTLMv2 session security. Value 537133056 enables both requirements. MSPs use this to prevent downgrade attacks on client authentication.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: LAN Manager authentication level
Sets minimum NTLM authentication level. Level 5 requires NTLMv2/Kerberos. MSPs set this to eliminate LM hash weaknesses and legacy protocol support.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Allow LocalSystem NULL session fallback
Controls whether LocalSystem can fallback to NULL sessions. Setting to 0 disables fallback. MSPs use this to force authenticated sessions throughout infrastructure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →RPC Endpoint Mapper: Authentication level for unauthenticated connections
Requires authentication for RPC endpoint mapper queries. Setting to 1 enforces authentication. Critical for MSPs preventing RPC enumeration attacks on client systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit: Audit Other Account Logon Events
Audits NTLM-based authentications and other account logon attempts. Setting to 3 logs both success and failure. Essential for MSPs detecting compromised credentials in client environments.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DCOM: Authentication Level
Sets DCOM authentication level to Packet Privacy (6). Requires encryption of all DCOM traffic. Critical for MSPs protecting sensitive RPC/DCOM communications.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable RPC Connection Pooling
Disables RPC connection pooling. Setting to 1 requires new connections per request, reducing session hijacking. MSPs use this to harden RPC security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →DCOM: Default Impersonation Level
Sets DCOM impersonation level to Identify (3). Prevents DCOM clients from impersonating callers. MSPs use this to limit privilege escalation via DCOM.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit: Audit Kerberos Authentication Service
Tracks Kerberos authentication events on domain computers. Setting to 3 logs successes and failures. Helps MSPs monitor NTLM deprecation progress.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Minimum password length
Sets minimum password length to prevent weak NTLM/NTLMv2 hashes. MSPs enforce 14+ characters to mitigate password cracking against hashed credentials.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →