How do I update a GPO in PowerShell?

Use the Set-GPRegistryValue cmdlet to modify the GPO. To apply changes immediately, run gpupdate /force locally or Invoke-GPUpdate for remote machines.

How do I edit an existing GPO?

Edit the GPO using the Group Policy Management Console or programmatically with PowerShell. ADManager Plus also provides a centralized GUI for GPO management.

How do I edit local Group Policy on non-domain machines?

You can modify the local registry using PowerShell cmdlets like Set-ItemProperty. This affects only the local machine and not Active Directory GPOs.

Home
PowerShell
Edit GPOs

How to edit Group Policy Objects using PowerShell

Last updated on: 23/01/2026

Editing Group Policy Objects (GPOs) is essential for maintaining a secure, consistent, and compliant IT environment. GPOs enable admins to centrally enforce security baselines and standardize user and computer configurations across a domain. Regularly reviewing and updating GPOs helps close security gaps and ensures configurations evolve with operational requirements.

This page explains how to edit GPOs effectively using PowerShell, the Group Policy Management Console (GPMC), and ManageEngine ADManager Plus.

PowerShell
GPMC
ADManager Plus
Native tools limitations
Why ADManager Plus
FAQs

How to edit an existing GPO using PowerShell

PowerShell's GroupPolicy module lets you modify registry-based policy settings inside a GPO and report on GPO configurations without manually opening the GPMC.

Prerequisites

Ensure the RSAT (Remote Server Administration Tool) and the GroupPolicy PowerShell module are installed in your admin workstation or management server.
Run PowerShell with sufficient permissions, such as Domain Admin, Enterprise Admin, or delegated GPO editor rights.
Import the GroupPolicy module by running:
Import-Module GroupPolicy

Editing GPOs using PowerShell

Most edits are performed by changing registry-based policy settings using the Set-GPRegistryValue cmdlet, or by managing links and permissions with cmdlets such as Set-GPLink and Set-GPPermission.

Example 1: Enable a setting in an existing GPO (registry value)

This script configures a machine-level policy setting inside the Workstation Security GPO to set a 900‑second screen lock timeout.


                                           $GpoName = "Workstation Security" 

                                            Set-GPRegistryValue -Name $GpoName ` 

                                                -Key "HKLM\Software\Contoso\Security" ` 

                                                -ValueName "ScreenLockTimeout" ` 

                                                -Type DWord ` 

                                                -Value 900

Example 2: Create a new GPO and set a user configuration value

This creates a new GPO and configures a user policy setting for a custom browser home page.


                                           $Gpo = New-GPO -Name "Browser Hardening" 

                                            Set-GPRegistryValue -Guid $Gpo.Id ` 

                                                -Key "HKCU\Software\Policies\Contoso\Browser" ` 

                                                -ValueName "HomePage" ` 

                                                -Type String ` 

                                                -Value "https://intranet.contoso.com"

Example 3: Generate a GPO HTML report after editing

This produces an HTML report of the GPO to verify applied settings and share them with auditors.


                                           $GpoName = "Workstation Security" 

                                           Get-GPOReport -Name $GpoName -ReportType Html -Path "C:\Reports\WorkstationSecurity.html"

Example 4: Edit specific settings and push them across multiple DCs

This script updates two computer-level GPO settings by directly modifying their corresponding registry values. Once executed, the updated GPO can be applied across all domain controllers using your remote monitoring and management (RMM) tool or a standard gpupdate /force.


                                           $GPOName = "Your GPO Name Here" 

                                            Set-GPRegistryValue ` 

                                                -Name $GPOName ` 

                                                -Key "HKLM\Software\Policies\Microsoft\Windows\System" ` 

                                                -ValueName "GpNetworkStartTimeoutPolicyValue" ` 

                                                -Type DWord ` 

                                                -Value 60 

                                            Set-GPRegistryValue ` 

                                                -Name $GPOName ` 

                                                -Key "HKLM\Software\Policies\Microsoft\Windows\System" ` 

                                                -ValueName "SyncForegroundPolicy" ` 

                                                -Type DWord ` 

                                            -Value 1

Example 5: Set local Group Policy and security settings on non-domain machines

By using the Set-ItemProperty cmdlet, you can directly modify these values to enforce policy behavior on machines that are not joined to a domain. This script disables access to Windows Update by updating the appropriate registry key.


                                           Set-ItemProperty ` 

                                                -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate" ` 

                                                -Name "DisableWindowsUpdateAccess" ` 

                                            -Value 1

Supported parameters

The following essential parameters can be used for editing GPOs in PowerShell.

Cmdlet/Parameter	Description
Set-GPRegistryValue	Edits registry-based policy settings within a GPO (computer or user configuration).
-Name/-Guid	Identifies the target GPO by its display name or GUID.
-Key	Specifies the registry key path inside the GPO.
-ValueName	Name of the registry value that represents the policy setting.
-Type	Registry value type such as DWord, String, MultiString, etc.
-Value	Data to assign to the specified registry value in the GPO.
Get-GPOReport	Generates XML or HTML reports of a GPO's settings for review and auditing.
Set-GPLink	Links or unlinks a GPO to a site, domain, or OU and controls link enforcement.
Set-GPPermission	Grants or modifies permissions on a GPO for users, groups, or computers.

How to edit GPOs using GPMC

The GPMC provides a graphical way to browse, edit, and link GPOs.

Steps to edit a GPO in GPMC

Open Group Policy Management (gpmc.msc) from Server Manager > Tools or the Start menu.
Expand the forest and domain, then click Group Policy Objects.
Locate the GPO you want to edit, right-click it, then select Edit.
In the Group Policy Management Editor, browse under Computer Configuration or User Configuration to find the setting you want to change.
Double-click the policy, select Enabled, Disabled, or configure options as required, then click OK.
Close the editor when finished; the updated GPO will apply at the next refresh or logon/boot cycle.

Steps to edit a local GPO using gpedit.msc

Press Win + R, type gpedit.msc, and press Enter.
In the Local Group Policy Editor, expand Computer Configuration or User Configuration.
Navigate through Administrative Templates (or the relevant node) to locate the policy you want to modify.
Double-click the policy, select Enabled or Disabled, or adjust the configuration as needed, then click OK.
Close the editor when finished; changes will apply at the next refresh or logon/boot cycle.

How to edit GPOs using ADManager Plus

ADManager Plus provides a unified, web-based interface to manage GPOs, including creating, linking, enabling/disabling, and updating GPOs without directly working in GPMC or scripting in PowerShell.

Navigate to the Management > GPO Management > Manage GPOs.
In the Actions column of the GPO that you would like to edit, click the edit icon.
Select the configuration that you would like to edit and modify its configuration.

Get started

Limitations of using native tools to edit GPOs

While powerful, relying solely on PowerShell and GPMC for delegation can present several challenges:

GPMC does not provide strong bulk-editing capabilities; changing the same setting across many GPOs requires repetitive manual effort.
PowerShell GPO cmdlets primarily target registry-based settings, making it more challenging to configure complex or preference-based policies compared to using a graphical interface.
Native tools require specific admin privileges to edit GPOs, which can restrict delegation and increase reliance on privileged accounts.
Scripted changes must be carefully tested; mistakes in Set-GPRegistryValue or link operations can introduce misconfiguration at scale.

Benefits of using ADManager Plus to edit GPOs

ADManager Plus , an AD management and reporting solution, helps admins perform GPO management tasks with a script-free, easy to use interface.

Bulk operations: Create and link GPOs them to multiple OUs, domains, and sites in a single action, reducing repetitive work.
Centralized control: Manage GPO link order, enforce and block inheritance settings, and GPO status from a central GUI.
Simiplified delegation: Delegate GPO management tasks to help desk or junior admins without giving full admin access
Audit-ready reporting: Generate schedulable reports on GPO scope, status, and settings, and export them in your desired formats.

Edit and manage GPOs effortlessly with ADManager Plus

Try it now for free

FAQ

To modify the GPO itself, use the Set-GPRegistryValue cmdlet. To force machines to apply the changes immediately, use the gpupdate /force cmdlet (for the local machine) or the Invoke-GPUpdate cmdlet (for remote machines).


                                              $GPOName = "Your GPO Name Here" 

                                              Set-GPRegistryValue ` 

                                                  -Name $GPOName ` 

                                                  -Key "HKLM\Software\Policies\Microsoft\Windows\System" ` 

                                                  -ValueName "SyncForegroundPolicy" ` 

                                                  -Type DWord ` 

                                                  -Value 1 

                                              Set-GPRegistryValue ` 

                                                  -Name $GPOName ` 

                                                  -Key "HKLM\Software\Policies\Microsoft\Windows\System" ` 

                                                  -ValueName "GpNetworkStartTimeoutPolicyValue" ` 

                                                  -Type DWord ` 

                                                  -Value 60 

                                              gpupdate /force

Use the GPMC or edit the GPO programmatically with PowerShell using the Set-GPRegistryValue cmdlet. For a script-free approach, ADManager Plus offers a centralized GUI for managing all GPO tasks.

By using Set-ItemProperty, you can modify the registry directly to enforce policy behavior on machines that are not joined to a domain. The script below disables access to Windows Update by updating the appropriate registry key. Note that this modifies the local registry, not an AD GPO object.


                                              Set-ItemProperty ` 

                                                  -Path "HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate" ` 

                                                  -Name "DisableWindowsUpdateAccess" ` 

                                              -Value 1

Related features:

Related Powershell Guides: