I’ve had a few queries from friends about group policy since my last post so I thought why not answer these queries here on my blog? And, yes, a few of them were about group precedences, hence this short FAQ.
What is the order of precedence in group policy?
I’ve prepared an illustration which I hope will help to understand the order of precedence for Group Policy.
While this illustration may be self-explanatory (at least I hope it is) there’s actually more to the story…
What is the order of precedence in an OU hierarchy?
GPOs linked to an organizational unit at the highest level in Active Directory are processed first, followed by GPOs that are linked to its child organizational unit, and so on. This means GPOs that are linked directly to an OU that contains user or computer objects are processed last, hence has the highest precedence.
In the example below the “Add Local Admins” GPO will have precedence over the “Enable SCCM Ports” GPO since it will be processed last and thus potentially overriding the settings in the GPO higher up in the hierarchy.
What if several GPOs are linked to an OU?
If you have more than one GPO linked to an OU then the processing order of these GPOs is determined by what is known as the link order. The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.
To confirm the link order open the GPMC console, select the OU you’re interested in and take a look at the Linked Group Policy Objects tab. Here’s an example:
In this case the DisableFirstLoginAnimation GPO will have precedence over the AddLocalAdmins GPO.
What about group policy inheritance and blocking?
GPOs applied to a domain, site or OU are inherited by child containers. As with multiple GPOs in an OU, the processing order is determined by the link order.
You can choose to block inheritance so that settings from a GPO applied in a parent OU, for example, will not be inherited by a child OU. Consider the following screenshot as an example before inheritance is blocked:
As you can see the Computers OU is inheriting the AddLocalAdmins, Default Domain Policy and SCCM_Ports_IN GPOs from parent level containers.
Now, if we disable inheritance on this OU, the processing order is amended like so:
As you can see only the GPO that is applied directly on the OU will be processed with the inheritance blocked.
How does GPO enforcement work?
Simply put, enforcing a GPO means that the setting in the enforced GPO will take precedence over settings in a child object.
Consider our previous example where blocked inheritance on our Computers OU:
![clip_image010[1]](https://emeneye.files.wordpress.com/2016/02/clip_image01011.jpg "clip_image010[1]")
Now, if we enforce our Default Domain Policy GPO (as we should be) then this policy will be “forced” to apply on the Computers OU regardless.
Me, Myself and IT 
Excellent. The examples makes it very clear.
I read 3 other articles, all longer than yours and each covered fewer scenarios, ie where does the local computer policy fit in the heirarchy?, or what good is enforcing a policy at the deepest OU (Windows 10 in your last example)? Easy to follow, short, and hits all the different scenarios. Great job!
Hi Jim, I’m glad you liked it. Thanks!
[…] https://emeneye.wordpress.com/2016/02/16/group-policy-order-of-precedence-faq/ […]
Explanation is great! Cleared plenty doubts… Thanks!
Hey Naz,
Great article. Can you go into Group Policy loopback?
Thanks
Simple question, do you have any faq, Or any posts on how to do a OU/GPO planning in a new work Environment?
With this i mean what policies you should have for which groups, and such stuff as name policies etc.
Please can you explain this question: In what order are group policies applied in Active Directory?
seriously counter-intuitive
excellent thanks
I had this very same question in an exam –> It wasn’t explained by the instructor–> had I read this, I’d have fully nailed it…
Wow! Thank you for your kind words!
“The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.”
At first sight, that sounds incorrect.
I would say “The GPO with the smallest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc. As if the GPOs are executed from the bottom to the top of the list”.
And you might want to spend a few lines on putting computer GPOs below or above user GPOs when it comes to performance optimisations.
Thanks for the suggestions. Will revisit this soon.
I’d say the original statement is fine as is. The policy with the lowest link order value is processed last and therefore has the greatest precedence. It clearly notes as much in the following the dash when it is clearly stated what precedence each link order value has. This precedence is actually to due a given policy being applied after any and all policies that have a higher link order value than it.
I don’t see people mistaking the lowest (i.e. least) link order value with “physically” lowest policy on the list either because you can easily change how the listing is sorted based on the value of any of the columns given (in either ascending or descending order) but that resorting isn’t going to effect the order in which the policies are applied.
For the record, the main reason the policies get applied are in order from highest to lowest link value because it’s simpler to have configuration values be overwritten by policies with higher precedence than to go in the opposite order and for the program responsible for applying policy to have to “remember” if a given setting has already been defined by policy or not. However, if you were instead trying to figure out how a specific setting would be configured set based on the group policies applied to a given user, you’d actually want to start at the policy with lowest link value and proceed to the next greater one until you found one that defined that setting as that policy’s defined setting is the only one that matters.
[…] Group Policy link order dictates which Group Policy “wins” in the event of conflicting, non-merging policies. Imagine you have two “Password Policy” GPOs: one that requires users to change their password every 30 days, and one that requires users to change their password every 60 days. Whichever policy is higher in the precedence order is the policy that will “win”. The group policy client enforces this “win” condition by processing policies in reverse order of precedence, so the highest precedence policy is processed last, and “wins”. Luckily, you don’t need to worry about this for almost every abuse primitive. For more information, check out this blog post. […]
Very good explanation thank you Naz. Not sure what kmeuleman is talking about. At first glance it’s very clear actually
Great explanation. As a consultant who hasn’t focused on AD for a few years, this was a great refresher and hit the spot. Cheers!
Applied Group Policy Objects
—————————–
Ha – General Users Settings
Ha Users Settings – Outlook Auto Logon
Local Group Policy
What does Local Group Policy here mean? The local group policy on this computer or the local group policy of the domain controller? Could someone help? Thanks.
local on a system….
Another instance of why overcomplicated and illogical security is a cause of security breaches. Combined with the fact GP is not searchable, it means that no security policy can ever be trusted to apply.
Very Nice Article…
How does GPO precedence work in relation to Desired State Configuration? Would GPO take precedence over DSC or would DSC take precedence over GPO?
The text in article is really confusing: “The GPO with the lowest link order will be processed last”
If we are talking about the order – the lowest one is #2 because it’s the lowest in the list.
If we are talking about score – the lowest one is #1.
So if I didn’t know how it really works I would read it as “The GPO which is the lowest in the list would apply last” that is wrong.
Please reformulate.
I really appreciated your explanation it made a lot of sense. I do not know if this is possible BUT:
Regarding order of precedence, can I get a user setting applied only on a specific computer. For example: If I have an enforced screensaver (user setting) on all domain workstations (OU), can I have some servers RDS with a different OU for users screensavers. With the result being person logs on to domain via workstation and screen saver starts after x minutes, however same userid logs onto a terminal server RDS from the workstation with the screensaver and does not get the RDS session screensaver for the user, or no RDS session screensaver?
Hi Brian, I’m glad you liked the post. If I understand you correctly you need to enable loopback processing. Take a look at this blog below and see if that helps http://kudratsapaev.blogspot.com/2009/07/loopback-processing-of-group-policy.html?m=1
“GPOs linked to an organizational unit at the highest level in Active Directory are processed first, followed by GPOs that are linked to its child organizational unit, and so on. This means GPOs that are linked directly to an OU that contains user or computer objects are processed last, hence has the highest precedence.”
The policies are processed in the below order:
1. Local
2. Site
3. Domain
4. OU
The precedence goes in the reverse order by default. This can be changed if you need a specific GPO to take precedence.
That aside, great article.
Excellent explination. Thank you very much. Much appreciated.
wonderful! really helps me a lot!
link order with least value win’s. Means if you have a with link order 1 , B with order 2 then A win’s.
Vasona
Good article. really appreciate it.
Great article! Will the GPO policy of link order 1 over write or simply add to what was in GPO in spot 2? Or does that answer depend on what policy is in the GPO. For example, let say I want to allow only certain users to be able to RDP to certain servers. I create a GPO for this as link order #1 in an OU, Then in that same OU I create another policy that grants RDP permissions so some of the users scoped in GPO #1 and a few more people. I put this in a GPO and make it link order #1, there being applied second. Will it just stack on those permissions or replace them completely? It the GPO is referencing different IPS, it should stack correct?
That should read “Iput this in a GPO and make it link order #2, there being applied second. Will it just stack on those permissions or replace them completely? If the GPO is referencing different IPS, it should stack correct?”
[…] The target PC has many GPOs applied to it to test policy precedence […]
Hi, I Have a concern related to this topic.
If some parameter in Domain GPO is not set (not configured), Local GPO on this particular parameter will take precedence if the parameter is configured on local GPO?
For example: if Wallpaper settings are not configured at Domain GPO level but it is configured at Local GPO, the local GPO will take precedence for this particular setting??
[…] Мэтавы ПК мае шмат GPO, прымяняюцца да яго для тэставання прыярытэт палітыкі […]
[…] short answer is “No”. The reason for this is due to how the Group Policy order of precedence works. Local policy has the lowest precedence and therefore will be overridden by any settings […]
[…] The target PC has many GPOs applied to it to test policy precedence […]
[…] Group Policy Order of Precedence FAQ | Me, Myself and IT […]
It’s still not clear to me. I have 2 questions.
In case a GPO applied to OU located inside another OU with another GPO applied, the GPO which is deeper in OU structure will take precedence over GPO higher in OU hierarchy.
Is that correct ?
And the 2nd one L S D OU Enforced is the order from most to least important GPO to be applied?
Thank you in advance.
Chris
Which GPO link order should not be modified in our domain?
Can someone tell me please?
which GPOs are priority for an organisation ? Which GPO priority or link order we should not change ?