The majority of the work with Group Policy starts with the Group Policy Management Console (GPMC). Figure 1 shows the GPMC with the Default Domain Policy selected and the Default Domain Controllers Policy showing.
Tip
You can create and link Group Policy objects (GPO)
at the domain level, at any OU level, and at any site level within the
GPMC. You also can back up and restore GPOs in the GPMC and analyze
GPOs with the Group Policy Modeling and Group Policy Results tools.
2. Understanding Group Policy Order of Precedence
The following table shows the different levels where Group Policy can be applied.
| Group Policy Scope | Comments |
|---|
| Local Computer Policy | This is applied first, and it applies only to the local computer.
Local computer policies are overwritten by any Group Policy settings in the domain. |
| Site | GPOs linked to a site apply to all computers and users in the site.
There aren’t any default site policies in a domain.
Tip
The most common use of site GPOs is to deploy applications on a per-site basis.
|
| Domain | GPOs linked to a domain apply to all computers and users in the domain. Domains include a Default Domain Policy by default. |
| Organizational unit (OU) | GPOs
linked to an OU apply to all computers and users in the OU.
The Default Domain Controllers Policy applies to the Domain Controllers
OU. When a server is promoted to a domain controller, it is
automatically placed in the Domain Controllers OU. |
Note
Some use the initials LSDOU to help remember the order as Local, Site, Domain, and OU.
When multiple GPOs are applied to a single user or
computer, the settings in each of the GPOs are applied. If there is a
conflict between the GPOs, the last GPO applied wins in most situations.
Tip
The two exceptions to the “last GPO applied wins”
rule are when a higher-level setting is enforced or loopback processing
is enabled.
The order in which GPOs are applied is
Consider the following table, where a computer named
Sales1 is joined to a domain, located in the Virginia Beach site, and
in a GPO named Sales. For simplicity sake, this table focuses only on
the Control Panel setting and deploying a sales application.
| Group Policy Name | Linked To | Setting |
|---|
| Local Group Policy | Sales1 computer | Control Panel access is removed |
| Default Domain Policy | Domain | Control Panel access is granted |
| Sales GPO | Sales OU | Control Panel access is removed |
| Deploy Sales Application | Virginia Beach site | Deploys a Sales application |
Figure 2 shows the Sales OU with the precedence of both the Sales GPO and the Default Domain Policy.
Notice that there’s a conflict with the Control
Panel setting for the Sales1 computer. The local policy removes access,
the Default Domain Policy grants access, and the Sales GPO removes
access again. Because the last setting for the Control Panel was
applied by the Sales GPO, that’s the setting that takes precedence.
Tip
The simplest rule to remember is that by default,
the last GPO applied wins when there is a conflict. GPOs are applied in
the following order: local, site, domain, OU.
Note
When a conflict doesn’t exist, all GPO settings
apply. For example, the Sales application deploys to all users in the
Virginia Beach site.
The following table shows the result if a user logs on to the Sales1 computer.
| User Account Location | Result |
|---|
| User logs on locally. | Access to the Control Panel is removed.
If the user is logged on to the computer locally, domain Group Policy settings are not applied. |
| User logs on to Sales1 computer using a domain account. | Access
to the Control Panel is removed.
Users in this OU have three GPOs applied. The local Group Policy
removes the Control Panel. The Default Domain Policy grants access to
the Control Panel, and the Sales GPO (the last GPO applied) removes it. |
In contrast, if a user logs on to a
different computer in the domain (such as in the Computers container or
another OU), the Control Panel would be present because access is
granted through the Default Domain Policy.
