none
Group Policy inheritance

    Question

  • In linked group policy objects say you have to GPO's, one is named A (Default Domain Policy) , the other B (with a single setting) both are linked to the same OU. If A is enforced and is 1st on the Precedence and B is not enforced and is 2nd in Precedence, both GPO refer the same setting just different lengths of screen timeout, which GPO would be 'dominant'. If the 'dominant' GPO is A how would I stop it being dominant, so B would be 'dominant' but other settings from A would still be inherited without issues??

    I am new to Group Policy, so excuse my ignorance.

    Thanks

    Zakmk96

    Tuesday, August 30, 2016 1:32 PM

Answers

  • Default domain policy would win in this case as it is enforced. As a best practice, you should rarely (if ever) use enforced GPOs. It doesn't make them apply any better than non-enforced GPOs. :)

    If the default domain policy wasn't enforced, GPO B would apply for that one setting.


    If my answer helped you, check out my blog: Deploy Happiness

    Tuesday, August 30, 2016 1:58 PM
  • Group Policy processing order is explained in this article https://msdn.microsoft.com/en-us/library/gg604584.aspx

    1. Local Policy
    2. Site
    3. Domain
    4. OU

    If you have multiple GPO linked to the same OU (like your example), the link order is applied by the highest number to the lowest number.  So the lowest number wins!

    The enforced GPO will always wins even if it is applied in first.

    That being said, if you enforce a GPO, it's not the whole GPO that is enforced but only the settings you have specified.

    If for example GPO-B is enforced and only the screen timeout has been configured to 15 min.  And GPO-A is not enforced with multiple settings including the screen timeout set to 20 minutes.

    The GPO-A will be applied with all configured settings and GPO-B will enforce the configured settings only.  So the winning GPO for the scrren timeout will be GPO-B.


    This posting is provided AS IS without warranty of any kind

    Tuesday, August 30, 2016 2:11 PM

All replies

  • I can change the order of precedence, issue is the Default Domain Policy (A) is enforced. If I change the Precedence order so B is applied first and A second would that work.
    Tuesday, August 30, 2016 1:52 PM
  • Default domain policy would win in this case as it is enforced. As a best practice, you should rarely (if ever) use enforced GPOs. It doesn't make them apply any better than non-enforced GPOs. :)

    If the default domain policy wasn't enforced, GPO B would apply for that one setting.


    If my answer helped you, check out my blog: Deploy Happiness

    Tuesday, August 30, 2016 1:58 PM
  • Group Policy processing order is explained in this article https://msdn.microsoft.com/en-us/library/gg604584.aspx

    1. Local Policy
    2. Site
    3. Domain
    4. OU

    If you have multiple GPO linked to the same OU (like your example), the link order is applied by the highest number to the lowest number.  So the lowest number wins!

    The enforced GPO will always wins even if it is applied in first.

    That being said, if you enforce a GPO, it's not the whole GPO that is enforced but only the settings you have specified.

    If for example GPO-B is enforced and only the screen timeout has been configured to 15 min.  And GPO-A is not enforced with multiple settings including the screen timeout set to 20 minutes.

    The GPO-A will be applied with all configured settings and GPO-B will enforce the configured settings only.  So the winning GPO for the scrren timeout will be GPO-B.


    This posting is provided AS IS without warranty of any kind

    Tuesday, August 30, 2016 2:11 PM