No announcement yet.

GPO conflicts , Right concept?

  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO conflicts , Right concept?


    I am reading few documents now a days and also reading a chapter from windows 2008 book. It mentioned that group policies are evaluated in following order:
    1. OU
    2. Site
    3. Domain

    Thats mean GP on OU will process first than site one and than Domain.. right?

    Reading topic on this forum i found this:

    Working with Group Policy

    Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO

    Thats means Site GPO will process first .. right?

    Two different statments if I am not wrong .. ?

    My problem:
    I have a OU with name New York and I have group policy York policy that contains proxy settings as automatic detect.

    Under New york OU i have servers OU and have a gpo York Server which contains proxy as manual and pointing it to a web address.

    When i am doing a gpresult the York Policy is winning and computers are taking automatic detect settings.

    After mentioned by Petri:

    The rule is simple, as more you get closer to the object that is being configured, the GPO is stronger.

    My manual proxy setting gpo is linked to the servers OU and closer to the computers which are under server OU but its not winning.

    All i want is that computers under York server should get manual address of proxy.

    I hope i explain it well but if not please let me know and i will try again.

    Last edited by capricorn; 7th August 2011, 00:01.

  • #2
    Re: GPO conflicts , Right concept?

    Your first example is totally the wrong way around, I'm afraid.

    Order of processing is (and has always been) L S D Ou

    Local policy first
    Site next
    Then Domain
    Finally OU, Sub OU etc.

    Last applied wins.
    Two exceptions:
    Enforce causes earlier policy to win
    Block stops all earlier policies reaching an OU (except local policy, which is at the computer level, but rarely used)

    The way you have set it up should work, but make sure the higher policy is not enforced
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: GPO conflicts , Right concept?

      Thanks for your reply.

      I am copying the lines from the book. May be I am getting the wrong concept so help me with that.

      Order of Precedence
      You can link multiple GPOs at once to a domain, site, or OU. So how do you know which group policy
      will actually affect the computer or user? We need to discuss the order of precedence when evaluating
      group policies. To start off, you need to understand where a group policy can be linked. Group policies
      are evaluated in the following order:
      1. OU
      2. Site
      3. Domain
      If you have a policy linked at the domain level and another linked at the site level, the site GPO
      settings will take precedence. The same holds true for group policies linked at an OU; conflicting
      entries from the OUís GPO will take precedence over those set at the domain and site levels.

      With my Problem:

      I have checked and the group policy on OU New York is not in enforced.

      Is there any other way I can see why its winning?



      • #4
        Re: GPO conflicts , Right concept?

        "All i want is that computers under York server should get manual address of proxy."

        This is what I think about this.You want computers under New York OU to have the proxy GPO right? Proxy settings is under User Configuration. So I think the conflict is that Computers are the one's under New york OU not users. I think you need to enable loopback processing,if you want the Computer to get the proxy GPO regardless of who logs in.

        Please Ingnore this reply if Im not making sense and not in the same page with you.. THanks
        Last edited by NonoRonuel; 6th September 2011, 09:35.
        There is only one way to find Out..Its to try it and/or Do it...