GPO processing order and precedence

The processing order of Group Policies effects what settings are applied to the end user or computer.  The Local computer policy is first processed and then Active Directory policies from  Site level to Domain, then into OU. The result means that in the event of any conflicts, the last applied policy will take effect.

This processing order is know as LSDOU: Local, Site, Domain, Organization Unit.

In the example below, the  Computer GPO in the computer OU will have a higher preference over the WSUS GPO linked to the Domain,  and the WSUS GPO will have higher preference then any GPO linked to the site, and so on.

In an OU with two or more GPOs the processing order is controlled by what is known as Link Order. The GPO are process from highest number to lowest, so the the GPO with a link order of 1 will be process last thus it’s setting taking precedence.

In the above example, the computer’s local policy will be processed, then any policies in the Site will be processed, followed by Default Domain & WSUS policy, Power settings GPO (Link Order 2) and finally the Computer WSUSGPO GPO processed (link order 1)

The order in which GPOs are processed can be also view by the command GPRESULT /R,  the GPO at the top takes precedence over and will have it’s setting applied in any conflict.

To change the link order of a GPO this can be done through the GPMC or powershell.

In GPMC click on the OU, then in the Linked Group Policy Objects tab, select the GPO and click the up or down buttons.

To change the link order via powershell

Set-GPLink -Name "Computer WSUS" -Target "ou=Computers,ou=HQ,dc=company,dclocal" -Order 1

Leave a Reply

Your email address will not be published. Required fields are marked *