Group Policy Processing and Precedence

  • Article

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier.

 

Order of processing settings

Group Policy settings are processed in the following order:

1. Local Group Policy object— Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.

2. Site— Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

3. Domain— processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

4. Organizational units— GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

Exceptions to the default order of processing settings

The default order for processing settings is subject to the following exceptions:

· A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.

· A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.

· An organizational unit or a domain may have Block Inheritance set. By default, Block Inheritance is not set.

· A computer that is a member of a workgroup processes only the local Group Policy object.

· Loopback may be enabled.

Have a nice weekend!

Stephanie B. Doakes