Group Policy Processing Order (GPO Hierarchy)

by Robert Allen

In this article, I will explain the order in which group policies are applied to users and computers. Group Policy order of precedence determines the order in which GPOs are processed.

Group policy objects (GPOs) are processed in the following order:

  1. Local group policy
  2. GPOs linked to a site
  3. GPOs linked to the domain
  4. GPOs linked to an OU
  5. Child-OUs

Here is a diagram to help visualize the order of precedence for GPOs.

gpo order of precedence

What is important to remember is the GPO that is applied last wins. This means if two GPOs have conflicting settings the GPO applied last will overwrite the policy applied before it. Another way to think of the GPO process order is the closer the GPO is applied to a user or computer object the more precedence the GPO will have.

GPO Processing Order Example

In the screenshot below, I have two GPOs that are configured to set the lock screen. One is applied to the domain and one is applied to the OU. If they have conflicting settings the GPO applied to the OU will overwrite the one applied to the domain because it is applied last. It’s that simple.

What is the GPO processing order when multiple GPOs are linked to an OU or domain?

If you have more than one OU linked to an OU or domain then the processing order is determined by the link order.

In the group policy management console click on an OU, or the domain and you will see the GPO link order.

The larger the number the less precedence there is for the GPO. For example, in the screenshot above the PsExec Allow GPO has a link order of 1, so it will take precedence over the number 2 (Computer – Logon Banner) GPO, and so on. The lower the link order number the more precedence it has ( it sounds strange I know).

You can select a GPO and use the arrows to move a GPO up or down to change the link order.

What about GPOs applied to child OUs?

The closer the GPO is linked to an OU or computer, the more precedence for the GPO. In the example below, there is a screen lock GPO applied at the domain, at the ADPRO Computers OU, and in a child-OU called test. Which GPO will take precedence?

The “Lock Screen test” GPO will win. Its settings will be applied last and will overwrite any conflicting settings from the previously applied GPOs.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

12 thoughts on “Group Policy Processing Order (GPO Hierarchy)”

  1. great write up

    -A note for watching loopback settings & link order is a good gotcha to watch for. Loopback can be set by the policy and every policy after uses same loopback setting… thus ensure it is set on earlier policy OR set for every policy which is what I end up doing for environments with many admin cooks in same kitchen.

    Reply
  2. …also, can I make a suggestion? In your ‘Link Order’ explanation, you currently have:

    “The higher the number the less precedence there is for the GPO.” This almost sounds like “higher” is the position in the list, which is not what you mean and is not true.

    My suggestion would be to change it to read:

    “The larger the number the less precedence there is for the GPO.” Now there’s no confusion about list position (lower or higher).

    HTH

    Reply
  3. What about “Not Defined”? If one GPO enables a given setting, a higher precedence GPO with that same setting as ‘Not Defined’ wouldn’t override this, correct? It seems obvious that it wouldn’t, but I have never tested this. Our current GP structure isn’t very deep, so I’m not certain this scenario exists in our environment.

    Reply
    • Do you mean “Not Configured”? If the GPO policy setting is not configured it will do nothing even if it has higher precedence.

      For example, I have a GPO linked at the domain level that blocks control panel access. I duplicated the GPO and changed the policy to not configured and linked it to an OU. This GPO has higher precedence but has no effect because the policy is set to not configured.

      Reply

Leave a Comment