gpo order precedence

Group Policy Processing Order (GPO Hierarchy)

by

In this article, I will explain the order in which group policies are applied to users and computers. Group Policy order of precedence determines the order in which GPOs are processed.

Group policy objects (GPOs) are processed in the following order:

  1. Local group policy
  2. GPOs linked to a site
  3. GPOs linked to the domain
  4. GPOs linked to an OU
  5. Child-OUs

Here is a diagram to help visualize the order of precedence for GPOs.

gpo order of precedence

What is important to remember is the GPO that is applied last wins. This means if two GPOs have conflicting settings the GPO applied last will overwrite the policy applied before it. Another way to think of the GPO process order is the closer the GPO is applied to a user or computer object the more precedence the GPO will have.

GPO Processing Order Example

In the screenshot below, I have two GPOs that are configured to set the lock screen. One is applied to the domain and one is applied to the OU. If they have conflicting settings the GPO applied to the OU will overwrite the one applied to the domain because it is applied last. It’s that simple.

What is the GPO processing order when multiple GPOs are linked to an OU or domain?

If you have more than one OU linked to an OU or domain then the processing order is determined by the link order.

In the group policy management console click on an OU, or the domain and you will see the GPO link order.

The larger the number the less precedence there is for the GPO. For example, in the screenshot above the PsExec Allow GPO has a link order of 1, so it will take precedence over the number 2 (Computer – Logon Banner) GPO, and so on. The lower the link order number the more precedence it has ( it sounds strange I know).

You can select a GPO and use the arrows to move a GPO up or down to change the link order.

What about GPOs applied to child OUs?

The closer the GPO is linked to an OU or computer, the more precedence for the GPO. In the example below, there is a screen lock GPO applied at the domain, at the ADPRO Computers OU, and in a child-OU called test. Which GPO will take precedence?

The “Lock Screen test” GPO will win. Its settings will be applied last and will overwrite any conflicting settings from the previously applied GPOs.