In this article, I will explain the order in which group policies are applied to users and computers. Group Policy order of precedence determines the order in which GPOs are processed.
Group policy objects (GPOs) are processed in the following order:
- Local group policy
- GPOs linked to a site
- GPOs linked to the domain
- GPOs linked to an OU
- Child-OUs
Here is a diagram to help visualize the order of precedence for GPOs.
What is important to remember is the GPO that is applied last wins. This means if two GPOs have conflicting settings the GPO applied last will overwrite the policy applied before it. Another way to think of the GPO process order is the closer the GPO is applied to a user or computer object the more precedence the GPO will have.
GPO Processing Order Example
In the screenshot below, I have two GPOs that are configured to set the lock screen. One is applied to the domain and one is applied to the OU. If they have conflicting settings the GPO applied to the OU will overwrite the one applied to the domain because it is applied last. It’s that simple.
What is the GPO processing order when multiple GPOs are linked to an OU or domain?
If you have more than one OU linked to an OU or domain then the processing order is determined by the link order.
In the group policy management console click on an OU, or the domain and you will see the GPO link order.
The larger the number the less precedence there is for the GPO. For example, in the screenshot above the PsExec Allow GPO has a link order of 1, so it will take precedence over the number 2 (Computer – Logon Banner) GPO, and so on. The lower the link order number the more precedence it has ( it sounds strange I know).
You can select a GPO and use the arrows to move a GPO up or down to change the link order.
What about GPOs applied to child OUs?
The closer the GPO is linked to an OU or computer, the more precedence for the GPO. In the example below, there is a screen lock GPO applied at the domain, at the ADPRO Computers OU, and in a child-OU called test. Which GPO will take precedence?
The “Lock Screen test” GPO will win. Its settings will be applied last and will overwrite any conflicting settings from the previously applied GPOs.
The visuals are very helpful. Thank you!
Simple and nice explanation
Thanks
great write up
-A note for watching loopback settings & link order is a good gotcha to watch for. Loopback can be set by the policy and every policy after uses same loopback setting… thus ensure it is set on earlier policy OR set for every policy which is what I end up doing for environments with many admin cooks in same kitchen.
Hi Patrick. Loopback can defiantly be a gotcha.
…also, can I make a suggestion? In your ‘Link Order’ explanation, you currently have:
“The higher the number the less precedence there is for the GPO.” This almost sounds like “higher” is the position in the list, which is not what you mean and is not true.
My suggestion would be to change it to read:
“The larger the number the less precedence there is for the GPO.” Now there’s no confusion about list position (lower or higher).
HTH
I agree your suggestion is less confusing. I have updated the article. Thanks.
What about “Not Defined”? If one GPO enables a given setting, a higher precedence GPO with that same setting as ‘Not Defined’ wouldn’t override this, correct? It seems obvious that it wouldn’t, but I have never tested this. Our current GP structure isn’t very deep, so I’m not certain this scenario exists in our environment.
Do you mean “Not Configured”? If the GPO policy setting is not configured it will do nothing even if it has higher precedence.
For example, I have a GPO linked at the domain level that blocks control panel access. I duplicated the GPO and changed the policy to not configured and linked it to an OU. This GPO has higher precedence but has no effect because the policy is set to not configured.
Great explanation .. Keep it up…
🙂