Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Audit Privilege Use
Audits when a user exercises a user right. Generates event 4673.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Credential Validation
Audits NTLM credential validation. More granular than legacy audit policy.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Policy Change
Audits changes to audit policy itself. Generates event 4719.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Take Ownership of Files
Allows taking ownership of any object regardless of permissions.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Kerberos Authentication Service
Audits Kerberos TGT requests. Generates events 4768, 4771.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Log On Through Remote Desktop Services
Controls which accounts can connect via RDP.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Kerberos Service Ticket Operations
Audits Kerberos service ticket requests. Detects Kerberoasting attacks. Generates event 4769.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Other Object Access Events
Audits scheduled task creation, COM+ object access, and other object events.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Process Creation
Audits new process creation including command line arguments. Generates event 4688.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Detailed Tracking
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Special Logon
Audits logons with admin-equivalent privileges. Generates event 4964.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Logon/Logoff
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Through Remote Desktop Services
Explicitly prevents specified accounts from connecting via RDP.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Manage Auditing and Security Log
Allows managing audit policy and viewing the security event log.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Logon
Audits logon and logoff events. More granular than legacy logon auditing.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Logon/Logoff
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Include Command Line in Process Creation Events
Includes full command line arguments in event 4688. Critical for detecting malicious command execution.
Computer Configuration > Administrative Templates > System > Audit Process Creation
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit User Account Management
Audits user account changes including password resets and account enables/disables.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Removable Storage
Audits access to removable storage devices such as USB drives. Generates event 4663.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Tape Drives: Deny All Access
Blocks tape drive access.
Computer Configuration > Administrative Templates > System > Removable Storage Access
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Allow Log On Locally
Controls which accounts can log on interactively at the console.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Act as Part of the Operating System
Extremely powerful right that allows a process to impersonate any user. Should be empty.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Shut Down the System
Controls which accounts can shut down the system.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts
Prevents anonymous users from enumerating SAM account names.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Debug Programs
Allows attaching a debugger to any process. Can be used to dump LSASS credentials.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts and Shares
Prevents anonymous enumeration of both SAM accounts and network shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →