IT tutorials
 
Windows
 

Windows Server 2008 : Launching the Group Policy Management Console, Understanding Group Policy Order of Precedence

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
12/28/2013 1:52:38 AM

1. Launching the Group Policy Management Console

The majority of the work with Group Policy starts with the Group Policy Management Console (GPMC). Figure 1 shows the GPMC with the Default Domain Policy selected and the Default Domain Controllers Policy showing.

Figure 1. Group Policy Management Console with Default Domain Policy selected

Note

The only two default Group Policy objects in a domain are the Default Domain Policy (linked to the domain) and the Default Domain Controllers Policy linked to the Domain Controllers OU.


You can launch the GPMC by clicking Start, Administrative Tools and selecting Group Policy Management. Expand the domain to view the Default Domain Policy. Expand the Domain Controllers OU to view the Default Domain Controllers Policy.

Tip

You can create and link Group Policy objects (GPO) at the domain level, at any OU level, and at any site level within the GPMC. You also can back up and restore GPOs in the GPMC and analyze GPOs with the Group Policy Modeling and Group Policy Results tools.

2. Understanding Group Policy Order of Precedence

The following table shows the different levels where Group Policy can be applied.

Group Policy ScopeComments
Local Computer PolicyThis is applied first, and it applies only to the local computer. Local computer policies are overwritten by any Group Policy settings in the domain.
SiteGPOs linked to a site apply to all computers and users in the site. There aren’t any default site policies in a domain.

Tip

The most common use of site GPOs is to deploy applications on a per-site basis.

DomainGPOs linked to a domain apply to all computers and users in the domain. Domains include a Default Domain Policy by default.
Organizational unit (OU)GPOs linked to an OU apply to all computers and users in the OU. The Default Domain Controllers Policy applies to the Domain Controllers OU. When a server is promoted to a domain controller, it is automatically placed in the Domain Controllers OU.

Note

Some use the initials LSDOU to help remember the order as Local, Site, Domain, and OU.


When multiple GPOs are applied to a single user or computer, the settings in each of the GPOs are applied. If there is a conflict between the GPOs, the last GPO applied wins in most situations.

Tip

The two exceptions to the “last GPO applied wins” rule are when a higher-level setting is enforced or loopback processing is enabled.


The order in which GPOs are applied is

  • Local computer policy

  • Site GPOs

  • Domain GPOs

  • OU GPOs (parent OUs first and child OUs last)

Consider the following table, where a computer named Sales1 is joined to a domain, located in the Virginia Beach site, and in a GPO named Sales. For simplicity sake, this table focuses only on the Control Panel setting and deploying a sales application.

Group Policy NameLinked ToSetting
Local Group PolicySales1 computerControl Panel access is removed
Default Domain PolicyDomainControl Panel access is granted
Sales GPOSales OUControl Panel access is removed
Deploy Sales ApplicationVirginia Beach siteDeploys a Sales application

Figure 2 shows the Sales OU with the precedence of both the Sales GPO and the Default Domain Policy.

Figure 2. Group Policy Management Console showing precedence of GPOs

Notice that there’s a conflict with the Control Panel setting for the Sales1 computer. The local policy removes access, the Default Domain Policy grants access, and the Sales GPO removes access again. Because the last setting for the Control Panel was applied by the Sales GPO, that’s the setting that takes precedence.

Tip

The simplest rule to remember is that by default, the last GPO applied wins when there is a conflict. GPOs are applied in the following order: local, site, domain, OU.


Note

When a conflict doesn’t exist, all GPO settings apply. For example, the Sales application deploys to all users in the Virginia Beach site.


The following table shows the result if a user logs on to the Sales1 computer.

User Account LocationResult
User logs on locally.Access to the Control Panel is removed. If the user is logged on to the computer locally, domain Group Policy settings are not applied.
User logs on to Sales1 computer using a domain account.Access to the Control Panel is removed. Users in this OU have three GPOs applied. The local Group Policy removes the Control Panel. The Default Domain Policy grants access to the Control Panel, and the Sales GPO (the last GPO applied) removes it.

In contrast, if a user logs on to a different computer in the domain (such as in the Computers container or another OU), the Control Panel would be present because access is granted through the Default Domain Policy.

 
Others
 
- Windows Server 2008 : Creating and Running a PowerShell Script - Scheduling PowerShell Scripts
- Windows Server 2008 : Creating and Running a PowerShell Script - Running a Script Against Multiple Computers
- Windows Server 2012 : Preparing for deploying domain controllers (part 3) - Existing forest domain controller deployment
- Windows Server 2012 : Preparing for deploying domain controllers (part 2) - New forest domain controller deployment
- Windows Server 2012 : Preparing for deploying domain controllers (part 1) - AD DS deployment scenarios
- Windows Server 2012 : Windows PowerShell automation (part 2) - Disconnected sessions
- Windows Server 2012 : Windows PowerShell automation (part 1) - Background jobs, Scheduled jobs
- Windows 7 : Making and Ending a Dial-Up Connection
- Windows 7 : Configuring a Dial-Up Internet Connection (part 2) - Adjusting Dial-Up Connection Properties
- Windows 7 : Configuring a Dial-Up Internet Connection (part 1) - Creating a New Dial-Up Connection
 
Youtube channel
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS