none
In what order are Group Policies Applied?

    Question

  • Hi there,

    I use the Group Policy Management Console on SBS 2008. I've become quite familiar with how to change GP settings. Before I knew that best practice was NOT to change an existing GPO but to create new ones, I made many changes to the "Windows SBS User Policy". These mostly worked fine.

    I've since learned the best way to create new group policies is to right click on the domain and select "Create a GPO in this Domain and link it here".

    Now to my question:- In what order are Group Policies Applied? There are lots of different "groups" (if that’s the right word) such as..

    • Default Domain Controllers Policy
    • Default Domain Policy
    • Windows SBS Client - Windows XP Policy
    • Windows SBS User Policy etc.

    All of these allow the same parameters to be defined, but if you change a setting in one GPO the change does not appear in the others.

    e.g. to set a screen saver time out with password to unlock the screen (a common GPO) I changed the "Windows SBS User Policy" as follows:-

    "Windows SBS User Policy->User Config->Policies->Admin Templates->Control Panel->Display"

    I then set my timeout, define screensaver name, enable password required etc and this works fine.

    But then if I look at the same settings a different GPO such as:-

    "Windows SBS Client - Windows XP Policy->User Config->Policies->Admin Templates->Control Panel->Display" all parameters say "Not configured".

    So, how does Group Policy know to use the parameters I've set in the "Windows SBS User Policy" GPO and not the settings in the "Windows SBS Client - Windows XP Policy" GPO which all say "Not configured"?

    Also, why did I change the "Windows SBS User Policy"? It’s obvious what some of the other policies do like the "Update services Client Computers" policy but there are loads of other policies. How do you know which ones to change? (or would you always create new policy in the root by right clicking on the domain name and choosing "Create a GPO in this Domain and link it here". 

    There seems to be plenty of documentation telling you how to create group policies to achieve various things but not much that tells you how they are applied and how they work.

    Any advice or links to some info that does explain more about this would be very much appreciated.

    Kind regards from UK - David

     

    Saturday, July 23, 2011 2:55 PM

Answers

  • By default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container.

    GPOs are processed in the following order:

    •     The local GPO is applied.
    •     GPOs linked to sites are applied.
    •     GPOs linked to domains are applied.
    •     GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied.


    Note  The order in which GPOs are processed is significant because when policy is applied, it overwrites policy that was applied earlier.

     

    The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier

    The policies are applied in the hierarchy --> Local machines, Sites, Domains and Organizational Units.(LSDOU)

    More info: Group Policy processing and precedence

    http://technet.microsoft.com/en-us/library/cc785665%28WS.10%29.aspx

    Step-by-Step Guide to Understanding the Group Policy Feature Set
    http://technet.microsoft.com/en-us/library/bb742376.aspx


    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    Saturday, July 23, 2011 3:13 PM
  • Hello,

    GPOs are applied from users or computers only and must be linked to the Site, Domain, OU(NOT container) or SubOU where these are located in AD UC.

    The order of processing is described in: http://technet.microsoft.com/en-us/library/cc778890(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Saturday, July 23, 2011 3:19 PM
  • So, how does Group Policy know to use the parameters I've set in the "Windows SBS User Policy" GPO and not the settings in the "Windows SBS Client - Windows XP Policy" GPO which all say "Not configured"?


    Hi,

     

    Long in short, GPO is applied with the order: local group policy, site, domain, organizational units. Also, the settings in "Windows SBS User Policy" GPO is applied, the "Not configured" in "Windows SBS Client - Windows XP Policy" GPO is ignored. You can run “gpresult /v” or collect the GPMC log to check which GPOs are applied to the clients.

     

    For your concern on how GPO works, please refer to the following link:

     

    How Core Group Policy Works

    http://technet.microsoft.com/en-us/library/cc784268(WS.10).aspx

     

    Also, please refer to:

     

    Best practices for Group Policy objects

    http://technet.microsoft.com/en-us/library/cc779168(WS.10).aspx

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 28, 2011 7:40 AM
    Moderator

All replies

  • By default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container.

    GPOs are processed in the following order:

    •     The local GPO is applied.
    •     GPOs linked to sites are applied.
    •     GPOs linked to domains are applied.
    •     GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied.


    Note  The order in which GPOs are processed is significant because when policy is applied, it overwrites policy that was applied earlier.

     

    The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier

    The policies are applied in the hierarchy --> Local machines, Sites, Domains and Organizational Units.(LSDOU)

    More info: Group Policy processing and precedence

    http://technet.microsoft.com/en-us/library/cc785665%28WS.10%29.aspx

    Step-by-Step Guide to Understanding the Group Policy Feature Set
    http://technet.microsoft.com/en-us/library/bb742376.aspx


    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    Saturday, July 23, 2011 3:13 PM
  • Hello,

    GPOs are applied from users or computers only and must be linked to the Site, Domain, OU(NOT container) or SubOU where these are located in AD UC.

    The order of processing is described in: http://technet.microsoft.com/en-us/library/cc778890(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Saturday, July 23, 2011 3:19 PM
  • So, how does Group Policy know to use the parameters I've set in the "Windows SBS User Policy" GPO and not the settings in the "Windows SBS Client - Windows XP Policy" GPO which all say "Not configured"?


    Hi,

     

    Long in short, GPO is applied with the order: local group policy, site, domain, organizational units. Also, the settings in "Windows SBS User Policy" GPO is applied, the "Not configured" in "Windows SBS Client - Windows XP Policy" GPO is ignored. You can run “gpresult /v” or collect the GPMC log to check which GPOs are applied to the clients.

     

    For your concern on how GPO works, please refer to the following link:

     

    How Core Group Policy Works

    http://technet.microsoft.com/en-us/library/cc784268(WS.10).aspx

     

    Also, please refer to:

     

    Best practices for Group Policy objects

    http://technet.microsoft.com/en-us/library/cc779168(WS.10).aspx

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, July 28, 2011 7:40 AM
    Moderator
  • In addition,

    LSDOU

    L: Local

    S: Sie

    Do: Domain

    Ou:Organizatinal Unit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Thursday, July 28, 2011 10:56 AM