Getting Group Policy Object Precedence Right

Group Policy is the configuration management technology included in Microsoft Windows Server Active Directory. If you need to enable granular control of Windows and Windows Server settings, Group Policy is the go-to solution. But Group Policy can quickly get complicated because each Group Policy object (GPO) can have hundreds of settings for both users and computers, and multiple GPOs with possibly conflicting settings can be linked to a given Active Directory site, domain or organizational unit (OU). In this article, I’ll explain how to determine Group Policy precedence, so you can apply Group Policy correctly and ensure that required security policies are enforced.

Local Policy

Before we start talking about Group Policy, which gives system administrators the ability to centrally manage Windows settings, it’s worth knowing that all Windows devices have local policy. Local policy is always superseded by the settings in Group Policy objects. Therefore, in general, local policy should only be used to configure settings for devices that are not joined to an Active Directory domain.

Active Directory Group Policy

Group Policy objects need to be linked to an Active Directory site, domain or OU before they are applied to computers and users. GPOs are applied to the object they are linked to and all its child objects. For instance, a GPO linked to a site will also apply to objects in that site’s domains and OUs. GPOs linked to an organizational unit will apply to all objects in that OU and any child OUs.

To view or edit GPOs, use the Group Policy Management Console (GPMC) in the Tools menu of Server Manager. Group Policy object settings are organized in the same way as local policy but an additional category, called Group Policy Preferences, provides extra settings that allow administrators to customize users’ environments.

Applying Group Policy to Sites

If you link a GPO to a site, its settings will apply to all objects in that site; the objects are said to fall into the GPO’s scope of management. More than one GPO can be linked to a given site, and those GPOs could have conflicting settings. In this case, you need to understand which settings will be applied. For example, if the same setting is configured differently in two or more GPOs that are all linked to a given site, which GPO will take precedence? The answer is the GPO with the smallest Link Order number. Link Order numbers show Group Policy precedence and govern Group Policy processing order.

To see the Link Order number of GPOs for a site, open GPMC and expand your Active Directory domain. Then take the following steps:

Step #1. Right-click on Sites and click Show Sites…

Step #2. In the Show Sites dialog, check the sites you want to see in GPMC and click OK.

Step #3. Expand Sites in GPMC. You will see all the sites you have configured in Active Directory. The default site is called Default-First-Site-Name, although it is possible to rename it.

Step #4. Click on one of the sites.

Getting Group Policy Object Precedence Right Checking the Link Order

Figure 1. Checking the link order.

Step #5. Under the Linked Group Policy Objects tab, you will see a list of GPOs that are linked to the site. It may be that there are no linked GPOs. If there are any GPOs linked, you will see their Link Order numbers, which show the order of precedence. The higher the number, the less precedence the GPO has. For example, the settings in a GPO with a Link Order number of 2 always take precedence over settings in a GPO with a Link Order number of 3.

Step #6. To change a GPO’s Link Order number, click on the GPO and use the up and down arrows on the left to move it to the desired position in the list.

Applying Group Policy to Domains and Organization Units

GPOs can be linked to domains and OUs in the same way that they can be linked to sites. The default domain policy is linked to each domain by default. GPOs linked to organizational units have the highest precedence, followed by those linked to domains. GPOs linked to sites always take the least precedence.

To understand which GPOs are linked to a domain or OU, click the domain or OU in GPMC and select the Linked Group Policy Objects tab. For a broader view, select the Group Policy Inheritance tab, which will show the GPOs linked to parent domains and OUs as well. GPOs with a smaller precedence number are processed last and take precedence over GPOs with higher numbers.

Checking the GPO Precedence for GPOs Linked to a Domain or OU

Figure 2. Checking the GPO precedence for GPOs linked to a domain or OU.

Don’t forget that GPOs linked to sites also apply to the site’s child objects and are applied as part of the processing order. However, GPOs linked to sites are not displayed in the Group Policy Inheritance tab because GPMC doesn’t know which users and computer objects are located in a given AD site at a particular time.

IT consultant and author specializing in management and security technologies. Russell has more than 15 years of experience in IT, he has written a book on Windows security, and he coauthored a text for Microsoft’s Official Academic Course (MOAC) series.