Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Display logon message banner
Shows banner message before logon. Critical for MSP compliance with legal notice requirements.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Number of previous logons to cache
Limits cached credentials to 1 for offline logon. Reduces credential exposure for MSP mobile users.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow administrators to exceed quota limits
Exempts administrators from quota limits. Ensures MSP administrators can perform necessary operations.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Smart card removal behavior
Locks workstation when smart card is removed. Critical for MSPs using smart card authentication.
Computer Configuration > Administrative Templates > Windows Components > Smart Card
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Let Everyone permissions apply to anonymous users
Controls whether anonymous users inherit Everyone permissions. Keep at 0 to deny anonymous access. Critical for MSPs preventing unauthenticated enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny disk space to users exceeding quota
Prevents writes when user exceeds quota. Strictly enforces storage limits for MSP-managed systems.
Computer Configuration > Administrative Templates > System > Disk Quotas
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Display verbose status messages during logon
Shows detailed logon messages for troubleshooting. Helps MSP technicians diagnose authentication issues.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Default14
Notifies user 14 days before password expires. Reduces account lockouts from expired credentials in MSP organizations.
Recommended14
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Clear valid logon history
Ensures passwords are not stored in memory. Critical security measure for MSP-managed systems.
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enable forced logoff when logon hours expire
Disconnects users when logon hours expire. Enforces access control policies for MSP-managed networks.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP Signing: Negotiate signing
Enable LDAP clients to negotiate signing with servers. Setting to 1 enables negotiation, 2 requires it. Provides flexibility for gradual deployment across managed environments.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Require domain controller authentication for cached logons
Forces revalidation with domain controller. Prevents replay attacks on cached credentials in MSP networks.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Disable automatic restart after logon
Prevents automatic logon after system restart. Ensures manual authentication for security-sensitive MSP environments.
Computer Configuration > Administrative Templates > System > Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Domain Controller: LDAP server signing requirements
Enforce LDAP signing requirements on domain controllers to prevent man-in-the-middle attacks. Setting to 2 requires signing. Critical for MSPs securing client Active Directory environments from credential interception.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP client signing requirements
Configure client-side LDAP signing to negotiate signing with LDAP servers. Setting to 1 requires signing when available. Prevents credential theft in hybrid and cloud scenarios MSPs manage.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Task Scheduler: Disable task deletion
Prevents non-administrators from deleting scheduled tasks. Setting to 1 disables deletion. MSPs use this to prevent tampering with security tasks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Extended Protection for Authentication: Require channel binding
Enforce Extended Protection for Authentication on LDAP connections. Prevents attackers from stealing LDAP credentials through man-in-the-middle attacks. Critical for MSPs managing sensitive client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: Configure encryption types allowed for Kerberos
Specifies encryption types for Kerberos. Value 2147483644 enables strong ciphers only (AES). MSPs use this to eliminate DES/RC4 weak encryption.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP: Maximum concurrent connections
Limits concurrent LDAP connections to domain controllers. Set to 0 for unlimited. MSPs use this to prevent DoS attacks on directory services during client migrations and queries.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network security: NTLM SSP Security: Require NTLMv2 session security
Forces servers to require NTLMv2 session security. Value 537133056 requires both NTLMv2 and encryption. Critical for MSPs enforcing authentication baseline across client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →RPC: Enable RPC over TCP/IP
Controls RPC over TCP/IP. MSPs may restrict this on highly secured networks, but most modern systems require it for services like WMI and WinRM.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP over SSL/TLS requirement
Enables LDAP over SSL/TLS on domain controllers. Standard port 636 encrypts all LDAP traffic. Essential for MSPs securing directory queries over untrusted networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network access: Restrict anonymous access to Named Pipes and Shares
Blocks NULL session access to named pipes and shares. Setting to 1 enforces authentication. Critical for MSPs preventing share enumeration attacks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →LDAP: Enable referral chasing
Controls LDAP referral chasing behavior. Setting to 0 disables automatic referral following. MSPs disable this to prevent information disclosure and credential exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →