Group Policy can get very messy very fast especially in large organizations where there are hundreds of IT administrators and contractors that have created group policy objects over the years. So if you’re looking at a group policy and not understanding how it came into effect you wouldn’t be alone.
In this short article we will explain which GPO’s win when there’s a conflict and what order Group Policies are applied in.
There are two categories of precedences you need to be thinking about:
- GPO’s at different levels
- GPO’s in a given OU or Domain
1 – Which GPO Level Overrides Other GPO Levels?
This is called precedence, and you can see in the chart we built for you below that GPO’s at the OU level override GPO’s at the domain level, which override GPO’s at the site level which override a local GPO.
NOTE: A higher level GPO will only override a lower level GPO when they are in conflict, otherwise they will merge together to make the changes on the local computer as if they were all in one group policy.
2 – How To View The GPO Order In A Given OU or Domain or Site?
As you can see in the screenshot below group policies can be put into a numbered order and The highest number wins when there is a conflict.
Take for example a situation show in the screenshot below in which GPO number 1 “DEFAULT DOMAIN POLICY” had Windows Update policies in it but someone had also created a completely new GPO number 3 which also contained Windows Update policies:
In this case, GPO 1 (Default Domain Policy) will override GPO 3 “Windows Update Config For Server”, because 1 is above 3.
How To Change the GPO Order:
- Launch Group Policy Management,
- Click on the Domain or the Organizational Unit (OU) or Site containing the policy order you want to change
- Click on the Linked Group Policy Objects tab
- Click on the GPO you want to have a higher precedence or a lower precedence
- Use the arrow buttons on the left to move the GPO up or down in precedence priority
0 Comments