Active Directory

How to Use Starter Group Policy Objects in Windows Server

In this Ask the Admin, I’ll show you how to work with starter Group Policy Objects (GPOs) to expedite the creation of GPOs in your domain.

Starter GPOs were introduced in Windows Server 2008 to help administrators quickly create new Group Policy Objects. Functioning like a template, starter GPOs can only be used to configure settings held under Administrative Templates. The Software Settings and Windows Settings categories are excluded because they contain references to users, groups, computers, and UNC paths.

Create a New Starter GPO

The Group Policy Management Console (GPMC) is installed on domain controllers or as part of the Remote Server Administration Tools (RSAT) on member servers or client devices. For more information on installing RSAT, see Remote Server Administration T9ools (RSAT) for Windows 8: Download and Install on the Petri IT Knowledgebase.

Log on to a Windows Server 2012 R2 domain controller (DC) using a domain administrator account or a device where RSAT is installed.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

  1. Switch to the Start screen, type group policy management and select Group Policy Management from the search results.
  2. If you need to start GPMC with alternate user credentials, make sure Group Policy Management is selected in the search results, press CTRL+SHIFT+ENTER and then enter a username and password.
  3. In the left pane of GPMC, expand your AD forest, Domains, and then the domain in which you want to create the new starter GPO if there’s more than one domain.
  4. Click Starter GPOs under your domain.

In this domain I have never created a Starter GPO, so the Starter GPOs folder must be created before continuing.

Starter GPOs in the Group Policy Management Console. (Image Credit: Russell Smith)
Starter GPOs in the Group Policy Management Console. (Image Credit: Russell Smith)
  1. In the right pane, click Create Starter GPOs Folder.
  2. Now you’ll see a list of pre-defined System starter GPOs on the Contents tab in the right pane.
  3. Right click the Starter GPOs container in the left pane and select New… from the menu.
  4. In the New Starter GPO dialog, give the new starter GPO a name and click OK. The new starter GPO will appear on the Contents tab in the right pane.
  5. Right click the new starter GPO, and select Edit… from the menu. The Group Policy Starter GPO Editor will open.
  6. In the Group Policy Starter GPO Editor window, you can add either Computer or User Configuration settings under Administrative Templates, just as you would for a GPO.
  7. Configure any settings you want to include in this starter GPO, and then close the editor window.

Unlike a GPO, the only way you can see a report of settings configured in a starter GPO is to right click the starter GPO, and select Save Report… from the menu to save a report as an HTML file that can then be viewed in Internet Explorer.

Create a New GPO Based on a Starter GPO

Now that the system defined starter GPOs and one custom starter GPO have been defined, when creating a new GPO, you have the option to select from a list of starter GPOs in the New GPO dialog under the Source Starter GPO menu. The settings from the starter GPO will be copied to the new GPO. For more information on creating and linking Group Policy Objects (GPOs), see How to Create and Link a Group Policy Object in Active Directory on the Petri IT Knowledgebase.

Load and Save Starter GPOs as Cabinet Files

Once you have a starter GPO configured in your domain, you can save it as a compressed cabinet file so that it can be easily loaded into another domain. As starter GPOs only contain Administrative Settings, no mapping of AD object or UNC path references is required.

Load a starter GPO in the Group Policy Management Console. (Image Credit: Russell Smith)
Load a starter GPO in the Group Policy Management Console. (Image Credit: Russell Smith)

Save a Starter GPO as a Cabinet File

To save a starter GPO as a cabinet file, follow the instructions below.

  1. Click the Starter GPOs container in the left pane of GPMC.
  2. On the Contents tab in the right pane, select the starter GPO you want to save.
  3. Click Save as Cabinet… at the bottom of GPMC.
  4. Save the .cab file to a convenient location.

Load a Starter GPO as a Cabinet File

Similarly, to load a starter GPO from a cabinet file:

  1. Click the Starter GPOs container in the left pane of GPMC.
  2. On the Contents tab in the right pane, click Load Cabinet… at the bottom of GPMC.
  3. In the Load Starter GPO window, click Browse for CAB…
  4. Select the saved .cab file and click Open.
  5. Click OK to load the starter GPO.



Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: