none
Order of GPO application

    Question

  • 5 GPOs as per below. Client machine is located within OU1.

    GPO 1 - Domain Linked - Not Enforced
    GPO 2 - Domain Linked - Enforced
    GPO 3 - Site Linked - Enforced
    GPO 4 - OU Linked - Not Enforced
    GPO 5 - OU Linked - Enforced

    Which order are the GPO's applied in, beginning with the first that is actually applied against the machine.

    Have always understood GPO processing to be local, site, domain, OU, with the enforced policies being applied in reverse order, working their way back up from OU, Domain, Site, Local

    With this in mind, wouldn't the order be:

    1, 4, 5, 2, 3

    ?

    Thanks.

    Wednesday, July 13, 2016 7:58 PM

Answers

All replies

  • That would be my understanding as well - except for being able to enforce a local GPO which I wouldn't know how to do.

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    • Proposed as answer by Todd Heron Thursday, July 14, 2016 11:17 AM
    Wednesday, July 13, 2016 9:20 PM
  • Hi,

    Thanks for your post.

    In my opinion, the Enforce will not reverse the precedence of group policy.

    The function of the Enforce is force inherit for sub-item, even if the GPO, which link to sub-item, configure with Block inheritance.

    For example, there are parent OU and sub-OU. The GPO, which link to parent OU with enforce, will work on the sub-OU, even if the sub-OU was configured with Block inheritance.

    If the GPO, which link to parent OU without enforce, will still work on the sub-OU when the sub-OU without configuring block inheritance.

    If the sub-OU configured with block inheritance, and the GPO, which link to the parent OU without enforce. The GPO, which link to parent OU, will not work on sub-OU.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 14, 2016 8:14 AM
    Moderator
  • > In my opinion, the Enforce will not reverse the precedence of group
    > policy.
     
    It WILL reverse. First from Domain to OU all normal GPOs, then from OU
    to domain all enforced ones.
     
    So 1/4/5/2/3 is correct.
     
     
    • Proposed as answer by Todd Heron Thursday, July 14, 2016 11:15 AM
    • Marked as answer by ex4111 Thursday, July 14, 2016 12:33 PM
    Thursday, July 14, 2016 10:41 AM
  • Martin, that's great, thank you for the confirmation.
    Thursday, July 14, 2016 12:33 PM