Group Policy Order of Precedence FAQ

I’ve had a few queries from friends about group policy since my last post so I thought why not answer these queries here on my blog? And, yes, a few of them were about group precedences, hence this short FAQ.

What is the order of precedence in group policy?

I’ve prepared an illustration which I hope will help to understand the order of precedence for Group Policy.

gp order 2

While this illustration may be self-explanatory (at least I hope it is) there’s actually more to the story…

What is the order of precedence in an OU hierarchy?

GPOs linked to an organizational unit at the highest level in Active Directory are processed first, followed by GPOs that are linked to its child organizational unit, and so on. This means GPOs that are linked directly to an OU that contains user or computer objects are processed last, hence has the highest precedence.

In the example below the “Add Local Admins” GPO will have precedence over the “Enable SCCM Ports” GPO since it will be processed last and thus potentially overriding the settings in the GPO higher up in the hierarchy.

clip_image004

What if several GPOs are linked to an OU?

If you have more than one GPO linked to an OU then the processing order of these GPOs is determined by what is known as the link order. The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.

To confirm the link order open the GPMC console, select the OU you’re interested in and take a look at the Linked Group Policy Objects tab. Here’s an example:

clip_image006

In this case the DisableFirstLoginAnimation GPO will have precedence over the AddLocalAdmins GPO.

What about group policy inheritance and blocking?

GPOs applied to a domain, site or OU are inherited by child containers. As with multiple GPOs in an OU, the processing order is determined by the link order.

You can choose to block inheritance so that settings from a GPO applied in a parent OU, for example, will not be inherited by a child OU. Consider the following screenshot as an example before inheritance is blocked:

clip_image008

As you can see the Computers OU is inheriting the AddLocalAdmins, Default Domain Policy and SCCM_Ports_IN GPOs from parent level containers.

Now, if we disable inheritance on this OU, the processing order is amended like so:

clip_image010

As you can see only the GPO that is applied directly on the OU will be processed with the inheritance blocked.

How does GPO enforcement work?

Simply put, enforcing a GPO means that the setting in the enforced GPO will take precedence over settings in a child object.

Consider our previous example where blocked inheritance on our Computers OU:

clip_image010[1]

Now, if we enforce our Default Domain Policy GPO (as we should be) then this policy will be “forced” to apply on the Computers OU regardless.

clip_image012

Advertisements

17 thoughts on “Group Policy Order of Precedence FAQ

  1. I read 3 other articles, all longer than yours and each covered fewer scenarios, ie where does the local computer policy fit in the heirarchy?, or what good is enforcing a policy at the deepest OU (Windows 10 in your last example)? Easy to follow, short, and hits all the different scenarios. Great job!

  2. Simple question, do you have any faq, Or any posts on how to do a OU/GPO planning in a new work Environment?
    With this i mean what policies you should have for which groups, and such stuff as name policies etc.

  3. I had this very same question in an exam –> It wasn’t explained by the instructor–> had I read this, I’d have fully nailed it…

  4. “The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.”

    At first sight, that sounds incorrect.

    I would say “The GPO with the smallest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc. As if the GPOs are executed from the bottom to the top of the list”.

    And you might want to spend a few lines on putting computer GPOs below or above user GPOs when it comes to performance optimisations.

    • I’d say the original statement is fine as is. The policy with the lowest link order value is processed last and therefore has the greatest precedence. It clearly notes as much in the following the dash when it is clearly stated what precedence each link order value has. This precedence is actually to due a given policy being applied after any and all policies that have a higher link order value than it.

      I don’t see people mistaking the lowest (i.e. least) link order value with “physically” lowest policy on the list either because you can easily change how the listing is sorted based on the value of any of the columns given (in either ascending or descending order) but that resorting isn’t going to effect the order in which the policies are applied.

      For the record, the main reason the policies get applied are in order from highest to lowest link value because it’s simpler to have configuration values be overwritten by policies with higher precedence than to go in the opposite order and for the program responsible for applying policy to have to “remember” if a given setting has already been defined by policy or not. However, if you were instead trying to figure out how a specific setting would be configured set based on the group policies applied to a given user, you’d actually want to start at the policy with lowest link value and proceed to the next greater one until you found one that defined that setting as that policy’s defined setting is the only one that matters.

  5. […] Group Policy link order dictates which Group Policy “wins” in the event of conflicting, non-merging policies. Imagine you have two “Password Policy” GPOs: one that requires users to change their password every 30 days, and one that requires users to change their password every 60 days. Whichever policy is higher in the precedence order is the policy that will “win”. The group policy client enforces this “win” condition by processing policies in reverse order of precedence, so the highest precedence policy is processed last, and “wins”. Luckily, you don’t need to worry about this for almost every abuse primitive. For more information, check out this blog post. […]

  6. Very good explanation thank you Naz. Not sure what kmeuleman is talking about. At first glance it’s very clear actually

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s