Group Policy Processing Order

Group Policy Processing Order


In this video from ITFreeTraining, I will look at the order used when more than one Group Policy is applied. It is important for the administrator to understand this so they can make sure that the settings they intended to be applied to the user or computer are applied.

Download the PDF handout:

Group Policy Precedence
0:16 – When multiple Group Policies are applied, Group Policies applied at different parts of the domain and locally will have different precedence than other Group policies. Precedence essentially means they will overwrite previous policies if there is a conflict. At the top, you have Organization Units (OUs). A Group Policy applied to an OU will override all other Group Policies that have been applied before it. Child OUs have the most preference and will override the settings configured from the parent when there is any conflict. Next, we have the Group Policies that are applied at the Domain level. Group Policies that are applied at the OU level will override Domain settings; however, settings applied at the Domain level will override any other settings. The next level is Site. Settings applied at the OU and Domain level, will override the Group Policy settings at the Site level. Lastly, you have Local Group Policy. This is the weakest Group Policy as settings applied anywhere else will override the settings applied at Local Group Policy. So how is this achieved?

Group Policy Processing Order
1:22 – To accomplish this, Group Policy is simply applied in the reverse order. Local Group Policy is applied first. Any settings that are applied in Local Group Policy can be overwritten by any other Group Policy. Since OUs are applied last, any setting applied at the OU level can override any other settings applied at the Local, Site or Domain level.

Processing Wallpaper Example
1:51 – In this example, the user has configured the Local Group Policy to change the desktop wallpaper on the computer to a picture of a cat. When Group Policy is applied, the result will be the wallpaper on the computer will be changed to a picture of a cat. Although the desktop wallpaper image of the cat is quite cute, management has decided that they do not want this and would like to go for something more corporate. So at the Domain level a boring corporate wall paper is applied. This will override the local setting. In some cases, the administrator may want to further override the setting applied at the Domain. In this case, a desktop wallpaper is applied at the New York OU for all New York users. This will override the previous setting. In some cases, you may want to override the settings from a child OU. In this case, the Sales OU will apply a different wallpaper setting. This will override all other settings. You can see how Group Policy preference works where low preference Group Policy will be overwritten by higher preference Group Policy. But what happens when you have two or more Group Policies applied at the same level?

Multiple GPOs
3:00 – When multiple Group Policies exist at the same level, the precedence is determined by the Link Order. This can be configured in “Group Policy Management”. If I have a look at an example, you can see that three different Group Policies have been applied to the New York OU. To the left of the Group Policies is the Link Order. Like before, in order to ensure the Group Policy with the highest Link Order has the lowest precedence, the order the Group Policy is applied is reversed. To understand this better, consider the Link Order for the three Group Policies. So what would the processing order be for these Group Policies? It would be the reverse. Since the third Group Policy is applied first, this means that any setting in the second and first Group Policy can override the settings applied in that Group Policy.

User and Computer Settings
3:44 – The last point to consider is how the different parts of Group Policy work. Group Policy is divided into Computer Configuration and User Configuration. The computer side of Group Policy is applied during start up. Until this Group Policy is applied, the user will not be able to login. The user settings are applied when the user logs in. The user will not be given control of the desktop until the Group Policy settings have been applied.
 

References
“Group Policy processing and precedence” https://technet.microsoft.com/en-au/library/cc785665(v=ws.10).aspx

Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Companion Document: Phillip Guld https://philguld.com
Video Production: Kevin Luttman http://www.KevinLuttman.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk