Related features:

Related Powershell Guides:

How to create a GPO in Active Directory

Last updated on:

What is Group Policy?

Group Policy is a built-in Windows feature that allows admins to centrally manage and enforce configuration settings for users and computers in an Active Directory (AD) environment. It provides a consistent way to control system behavior, security settings, user experience, and application configuration across many machines from a single point. These settings are defined, organized, and applied through Group Policy Objects (GPOs), which act as containers for related policy configurations and determine how and where Group Policy is enforced.

A well-structured GPO strategy lets admins roll out new baselines, application settings, or hardening measures quickly and consistently, instead of configuring machines individually. This page explains how to create new GPOs using the Group Policy Management Console (GPMC), PowerShell, and ManageEngine ADManager Plus, helping you choose the approach that best fits your workflow.

  • PowerShell
  • GPMC
  • ADManager Plus
  • Native tools limitations
  • Why ADManager Plus
  • FAQs
 

How to create new GPOs using PowerShell

PowerShell's New-GPO cmdlet in the GroupPolicy module lets you create GPOs programmatically, optionally based on a starter GPO, and then link them with other cmdlets such as New-GPLink.

Prerequisites

  • Ensure the RSAT (Remote Server Administration Tool) and the GroupPolicy PowerShell module are installed in your admin workstation or management server.
  • Run PowerShell with sufficient permissions, such as Domain Admin, Enterprise Admin, or delegated GPO editor rights.
  • Import the GroupPolicy module by running:
    Import-Module GroupPolicy

Creating new GPOs using the New-GPO cmdlet

You can use the New-GPO cmdlet to create a GPO, then optionally link it to a site, domain, or OU with New-GPLink and configure settings with other GPO cmdlets.

Example 1: Create a basic GPO with a comment

This creates a new, unlinked GPO named “Workstation Baseline” in the current domain, with a descriptive comment.

New-GPO -Name "Workstation Baseline" -Comment "Baseline security settings for client machines"

Example 2: Create a GPO from a starter GPO

This creates a new GPO and pre-populates it with settings copied from the specified starter GPO, saving time and ensuring consistency.

New-GPO -Name "Server Hardening GPO" -StarterGpoName "Windows Server Baseline"

Example 3: Create and immediately link a new GPO to an OU

This creates the “HR Desktop Policy” GPO and links it to the HR OU so that it starts applying to users and computers under that OU.

New-GPO -Name "HR Desktop Policy" |
New-GPLink -Target "OU=HR,DC=contoso,DC=com" -LinkEnabled Yes

Example 4: Edit a GPO by configuring a registry-based policy setting

This enables a policy setting by writing a registry value inside the GPO.

Set-GPRegistryValue `
-Name "Workstation Baseline" `
-Key "HKLM\Software\Policies\Microsoft\Windows\System" `
-ValueName "EnableSmartScreen" `
-Type DWord `
-Value 1

View more examples

Example 5: Link a GPO to an OU

This links the Workstation Baseline GPO to the Finance OU so it applies to users and computers in that OU.

New-GPLink -Name "Workstation Baseline" -Target "OU=Finance,DC=contoso,DC=com"

View more examples

Supported parameters

The following essential parameters can be used for creating GPOs in PowerShell.

Cmdlet/Parameter Description
New-GPO Creates a new unlinked GPO in the specified or current domain.
-Name Name of the new GPO (required).
-Comment Optional descriptive text explaining the GPO's purpose.
-Domain FQDN of the domain where the GPO should be created.
-Server Domain controller to target for the operation.
-StarterGpoName -StarterGpoGuid Creates the GPO based on an existing starter GPO template.
New-GPLink Links a GPO to a site, domain, or OU and controls link status.

How to create new GPOs using GPMC

The GPMC provides a graphical interface for creating and linking GPOs, suitable for admins who prefer a point-and-click approach:

  1. Open Group Policy Management (gpmc.msc) from Start or Server Manager.
  2. In the console tree, expand Forest > Domains, and select the domain or OU where you want to apply the GPO.
  3. Right-click the domain or OU and choose Create a GPO in this domain, and Link it here….
    Creating a GPO in the GPMC
  4. Enter a meaningful name for the new GPO, then click OK.
  5. To configure settings, right-click the newly created GPO under Group Policy Objects or under the domain/OU, then select Edit.
  6. Use the Group Policy Management Editor to configure Computer and User configuration settings as needed, then close when done.

How to link a GPO

  1. In GPMC, expand Forest > Domains in the console tree, then browse to the target domain or OU.
  2. Right-click the domain or OU, then select Link an Existing GPO.
  3. From the list of available GPOs, choose the GPO you want to link, then click OK.

How to edit a GPO

  1. In GPMC, expand Forest > Domains > Group Policy Objects in the console tree.
  2. Locate the GPO you want to modify, right-click it, then select Edit.
  3. In the Group Policy Management Editor, navigate to Computer Configuration or User Configuration.
  4. Double-click the required policy setting, configure it as needed, then click OK.
  5. Close the editor when finished. The updated settings will apply at the next policy refresh, logon, or system restart, depending on the policy.

How to create new GPOs using ADManager Plus

ADManager Plus provides a web-based interface to create and manage GPOs, allowing you to create and link them to multiple OUs, domains, and sites in one step, without directly using GPMC or PowerShell.

  1. Navigate to Management > GPO Management > Manage GPOs.
  2. Click + Create new GPO and enter the GPO Name.
  3. Click Link Later if you only want to create the GPO and link it at a later time, or click Link Now to instantly link the GPO, then select the desired OUs, domains, and sites.
  4. Click Create.
    Creating a new GPO in Active Directory and linking it using ADManager Plus
Get started

Note: ADManager Plus lets you force GPO updates without the gpupdate cmdlet to instantly deploy critical security policies without waiting for scheduled refresh cycles.

Limitations of native tools to create GPOs

While powerful, relying solely on PowerShell and GPMC for GPO creation can present several challenges:

  • Creating and linking GPOs to many OUs or domains via GPMC is repetitive and time-consuming, especially in large environments.
  • PowerShell requires familiarity with the GroupPolicy module and scripting; mistakes in New-GPO or New-GPLink usage can result in GPOs being created in the wrong domain or linked incorrectly.
  • Native tools require specific admin privileges to create GPOs, which can restrict delegation and increase reliance on privileged accounts.
  • Neither GPMC nor basic PowerShell cmdlets provide an at-a-glance dashboard showing where new GPOs are linked and their precedence without additional reporting or documentation.

Benefits of using ADManager Plus to create and manage GPOs

ADManager Plus , an Active Directory management and reporting solution, helps admins perform GPO creation and management tasks with a script-free, intuitive interface.

Streamline GPO creation and management with ADManager Plus

Try it now for free

FAQ

This option is greyed out when you don't have sufficient permissions to create or link GPOs. You must be a Domain Admin or Enterprise Admin, or your role must have delegated Create GPOs and Link GPOs rights for the domain or OU. The option may also be unavailable if you right-click an object that does not support GPO linking, such as a non-OU container.

A starter GPO is a reusable template that contains predefined Administrative Template settings. It helps standardize configurations and speed up GPO creation. Starter GPOs are created in the Starter GPOs node in Group Policy Management and can be used as a baseline when creating new GPOs, but they cannot be linked directly to domains or OUs.

To apply a GPO to a user, link the GPO to the OU that contains the user account and configure settings under User Configuration. If the policy must follow the user regardless of the computer they sign in to, ensure the user object is placed in the correct OU and that no conflicting GPOs override the settings.

You can create a new GPO by copying an existing GPO in Group Policy Management. Right-click the source GPO, select Copy, then paste it into Group Policy Objects. This creates a new GPO with identical settings, which can be renamed and modified independently.

Computer Configuration applies settings to computers, regardless of which user signs in, and is processed during system startup.

User Configuration applies settings to user accounts, is processed during logon, and follows users as they sign in to different computers.

Effective GPO names are clear, descriptive, and purpose-driven. Common conventions include:

  • Prefix by scope: Computer_, User_, or Both_
  • Include function or policy goal: Security, Baseline, Browser, Firewall
  • Avoid vague names like: New GPO or Test1

Example: Computer_Security_Baseline_Windows10

Yes, GPOs can be migrated between domains using GPMC backup and import or migration tables. Migration tables help map domain-specific values such as security principals and UNC paths, ensuring the imported GPO functions correctly in the target domain. ADManager Plus provides a script-free, easy-to-use GUI to simplify GPO migrations.

The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link