I’ve had a few queries from friends about group policy since my last post so I thought why not answer these queries here on my blog? And, yes, a few of them were about group precedences, hence this short FAQ.
What is the order of precedence in group policy?
I’ve prepared an illustration which I hope will help to understand the order of precedence for Group Policy.
While this illustration may be self-explanatory (at least I hope it is) there’s actually more to the story…
What is the order of precedence in an OU hierarchy?
GPOs linked to an organizational unit at the highest level in Active Directory are processed first, followed by GPOs that are linked to its child organizational unit, and so on. This means GPOs that are linked directly to an OU that contains user or computer objects are processed last, hence has the highest precedence.
In the example below the “Add Local Admins” GPO will have precedence over the “Enable SCCM Ports” GPO since it will be processed last and thus potentially overriding the settings in the GPO higher up in the hierarchy.
What if several GPOs are linked to an OU?
If you have more than one GPO linked to an OU then the processing order of these GPOs is determined by what is known as the link order. The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.
To confirm the link order open the GPMC console, select the OU you’re interested in and take a look at the Linked Group Policy Objects tab. Here’s an example:
In this case the DisableFirstLoginAnimation GPO will have precedence over the AddLocalAdmins GPO.
What about group policy inheritance and blocking?
GPOs applied to a domain, site or OU are inherited by child containers. As with multiple GPOs in an OU, the processing order is determined by the link order.
You can choose to block inheritance so that settings from a GPO applied in a parent OU, for example, will not be inherited by a child OU. Consider the following screenshot as an example before inheritance is blocked:
As you can see the Computers OU is inheriting the AddLocalAdmins, Default Domain Policy and SCCM_Ports_IN GPOs from parent level containers.
Now, if we disable inheritance on this OU, the processing order is amended like so:
As you can see only the GPO that is applied directly on the OU will be processed with the inheritance blocked.
How does GPO enforcement work?
Simply put, enforcing a GPO means that the setting in the enforced GPO will take precedence over settings in a child object.
Consider our previous example where blocked inheritance on our Computers OU:
Now, if we enforce our Default Domain Policy GPO (as we should be) then this policy will be “forced” to apply on the Computers OU regardless.