For Group Policies the time between Windows Server 2022 and Windows Server 2025 had a focus to move Group Policies and Group Policies Preferences towards being code-driven solution rather than legacy complexity.
If you want a homelab that upgrades itself instead of collecting dust, you must understand how Group Policy Objects (GPO) and Group Policy Preferences (GPP) work under the hood—and how they’ve quietly changed since the Windows 2000 days. Using GPOs and GPPs is the first step of this series moving from manual work to automation.
Table of Contents
What have we done so far?
In our Windows Server series we learned how to deploy Windows Server with Hyper-V and created a robust foundation by mostly manually deploying it from scratch to virtualization, using Active Directory and connecting it to Azure using Azure Arc.
You might have noticed, that there is a lot of manual work involved to keep it updated, look nice and do your customization every time. Let’s get started with the basics of automation and customization using GPOs and GPPs.
What are Group Policies (GPOs) & Group Policies Preferences (GPPs)?
The Microsoft timeline (Win2000 → Server 2025)
- 2000 – Windows 2000: Introduction of Active Directory and the first cut of Group Policy.
- 2008 – Server 2008: Group Policy Preferences are getting integrated into GPOs
- 2012 – Server 2012 R2: Sysvol replication moves from FRS to DFSR —if you haven’t migrated yet, please do so before your domain controller files itself under “vintage”.
- 2025 – Server 2025: GPMC adds native PowerShell Desired State Configuration (DSC) export and a JSON-based backup format. Your bash-loving future self will thank you. (Microsoft Docs)
GPO vs GPP – key differences
Group Policy Objects (GPOs) are authoritative. They can enforce settings with no room for user modification — UI elements are locked down, registry values are written under HKLM\Software\Policies or HKCU\Software\Policies, and the system treats them as immutable.
Group Policy refreshes in the background every 90 minutes, with a random offset of up to 30 minutes. This applies to both Computer and User Configuration unless overridden via GPO settings.
Group Policy Preferences (GPPs) are more flexible. They allow for “Item Level Targeting” and also “Run Once” settings. It can be used for complex configurations and has often been used to replace Login Scripts, by mapping network drives based on Group Memberships. These settings are very flexible and allow for customization.
Group Policy Preferences also refresh in the background every 90 minutes as part of the GPO refresh, with a random offset of up to 30 minutes. This applies to both Computer and User Configuration unless overridden via GPO settings.
What makes Group Policies special?
At their heart, GPOs are registry-centric XML blobs that get merged into the client hive (registry) at logon/start-up. The technical term for this is tattooing—once a value is written, it sticks until an opposing policy resets or removes it. This can trip you up during lab experiments when half-baked settings survive the GPO being unlinked.
💡Important: A deleted GPO does not wipe its registry traces. Always include a cleanup script or use Disabled state before unlinking. This is most likely the most important thing to learn about GPOs.
What will we be using GPOs / GPPs for?
In our homelab and still for most enterprise organization you can use GPOs and GPPs for multiple things:
- Increase Security by enforcing security settings to all systems in your Active Directory
- Map network drives
- Customize the look & feel of Windows clients and Windows Server
- Manage Local Administrator Groups using Item Level Targeting
Meet AGPM (Advanced Group Policy Management)
AGPM 4.0 brought version control, check-in/out and multi-admin approval long before Git repos were cool. Sadly, Microsoft has scheduled End of Support for 14. April 2026 (Microsoft Lifecycle). If I could resurrect one legacy tool, it would be AGPM. Its version control and approval workflows were ahead of their time.
Features you’ll still love
- Offline editing with change history
- Role-based “Editor”, “Reviewer”, “Approver” workflows
- Controlled rollback after midnight regrets
Options for the future
- Migrate to Microsoft Intune’s Settings Catalog (cloud & clients only).
- Adopt DSC since you can export your settings nicely from GPMC 2025
- Azure Policies (cloud & only recommended for servers)
- Investigate 3rd Party options
While AGPM is brilliant but soon outside of support, My recommendation is to start exporting GPOs as .dsc.json today and get used to DSC and other alternative options.
Where to store scripts, wallpapers & assets for Group Policies
When storing assets for GPO deployment, consider the trade-offs between using SYSVOL and a dedicated file share.
Personally I never use the sysvol of a Domain Controller. Even if there are scripts recommending it to be used in their default settings, i.e. Azure Arc onboarding, I will re-create the scripts and always use a fileshare on a distributed file share. In the homelab I will use my non DFS enabled fileserver and create a folder with read rights for everyone.
💡Important Keep anything > 50 MB out of SYSVOL. Group Policies client downloads are synchronous; a 4 K wallpaper or software deployment on a Wide Area Network or Client VPN will ruin your morning coffee.
| Location | Pros | Cons |
|---|---|---|
\\domain\SYSVOL\…\Scripts | Replicates automatically; no extra share needed | DFSR can choke on ISO images; pollutes backups |
Dedicated file share (e.g. \\infra\gpoassets$) | Clean separation; quota-controlled; easier RBAC | Must replicate manually (RoboCopy/DFS-R); extra ACLs |
Complexity and Troubleshooting of GPOs & GPPs
GPOs and GPPs are one of the most complex areas to work with in Active Directory. Large Enterprises can easily meet thousands of GPOs and very often they are developed by one mastermind. If that mastermind is gone, things go wild.
Learn the basics in your homelab, but be prepared that only combining good knowledge of Active Directory, GPOs, GPPs, Excel (yes, sorry), GPResult, Windows Server & Windows Clients, Loginscripts, Firewalls & Networking, the registry and tools like the Policy Analyzer will make you an expert in this area.
💡Important: From my perspective cleaning up or auditing GPOs / GPPs is one of most challenging tasks in IT consulting. Make sure you are ready for such a task, if you get assigned to an audit. If you need assistance, please always feel free to contact me.
Conclusion
This article is to lay the very basic foundation you need to know about GPOs and GPPs. It will be a reference point for the upcoming Windows Server – Group Policy blog article. In the Windows Server series I will show how to apply backgrounds, create schedule tasks to deploy Winget, map network drives and many more things. There is so much I want to be automated in my homelab using GPOs, that most likely this will be a continously updated page and not a blog article.
Additional Resources
- Microsoft Learn – Group Policy Overview – solid refresher with 2025-specific notes.
- Microsoft Learn – Group Policy Preferences – deep dive into CSEs and item-level targeting.
- Microsoft Lifecycle – Products reaching End of Support 2026 – confirms AGPM sunset.
- Quickstart: Convert Group Policy into DSC – generate a DSC configuration from a Group Policy or Azure Security Center baseline
- GPResult – The tool to master your GPOs and GPPs
- Policy Analyzer – Compare two different GPOs with each other
- Download Policy Analyzer – Part of Microsoft Security Compliance Toolkit 1.0
- Group Policy overview for Windows Server – Learn from Microsoft
If you have any questions please don’t hesitate to reach out to me on LinkedIn, Bluesky or check my newly created Adaptive Cloud community on Reddit.
