Group Policy Reference
A comprehensive Microsoft Windows Group Policy reference — searchable database of GPO settings with registry paths, supported OS versions, configuration steps, security implications, and real-world use cases. Built for sysadmins managing Active Directory, Intune, and standalone Windows.
What is a Group Policy?
A Group Policy Object (GPO) is a configuration setting in Windows that defines how computers and user accounts behave. Each policy maps to one or more registry values, applies to a specific scope (Computer or User), and is bundled in an ADMX (Administrative Template) file. This reference indexes Microsoft's ADMX catalog with detailed explanations, registry mappings, and operational guidance you won't find on the official Microsoft Learn pages.
Minimum Password Length
Minimum number of characters required in a password. NIST recommends 8+, CIS recommends 14+.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum Password Age
How often users must change passwords. NIST now recommends against routine expiration.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Minimum Password Age
Prevents users from immediately cycling back to their old password.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce Password History
Number of previous passwords remembered to prevent reuse.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Password Must Meet Complexity Requirements
Requires passwords to use 3 of 4 character categories and not contain the username.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Back Up Files and Directories
Allows bypassing file permissions for backup purposes. Can be abused to exfiltrate data.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Account Lockout Duration
Duration account remains locked. 0 requires admin unlock.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum System Log Size
Sets the maximum size of the System event log.
Computer Configuration > Windows Settings > Security Settings > Event Log
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Use OneDrive Files On-Demand
Enables Files On-Demand so files appear in File Explorer without being downloaded.
Computer Configuration > Administrative Templates > OneDrive
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum Lifetime for User Ticket
Maximum lifetime for a Kerberos TGT. Shorter lifetimes reduce the window for ticket theft.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Store Passwords Using Reversible Encryption
Stores passwords essentially as plaintext. Should always be Disabled.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Account Lockout Threshold
Number of failed logon attempts before lockout. 0 disables lockout entirely.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Security Group Management
Audits security group creation, modification, and deletion.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum Tolerance for Computer Clock Synchronization
Maximum clock skew allowed for Kerberos authentication. Exceeding this causes authentication failures.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Process Tracking
Audits process creation and termination. Generates event 4688. Required for threat hunting.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Account Management
Audits user/group creation, deletion, and modification. Generates events 4720-4743.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit System Events
Audits system startup, shutdown, and time changes.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Reset Account Lockout Counter After
Time window in which failed attempts are counted before the counter resets.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Enforce User Logon Restrictions
Validates every Kerberos session ticket request against user rights policy.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Object Access
Audits access to files, folders, registry keys, and printers. Must also enable auditing on individual objects.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Logon Events
Audits interactive and network logons. Generates events 4624, 4625, 4634.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Maximum Lifetime for Service Ticket
Maximum lifetime for a Kerberos service ticket.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Audit Account Logon Events
Audits Kerberos and NTLM authentication attempts. Generates events 4768, 4769, 4776.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →Deny Log On Locally
Explicitly prevents specified accounts from logging on interactively.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Supported on Windows 10, Windows 11, Windows Server 2016 and later
Read reference →