No announcement yet.

GPO order precedence

  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO order precedence

    I'm sure I'm on the right track, but I'm obviously missing something.

    GPOs are applied in order of priority Localsystem , Domain , OU.
    So a policy applied at OU level should override a policy at Domain level
    Unless the domain-level policy is enforced in which case the Domain policy would take effect.

    However, I would then think that if you enforce an OU level policy, it would take precedence over the enforced Domain level policy?

    Further scenario:
    Two Windows Firewall policies. One is configured to force Firewall off. The other, configured to force firewall on.

    firewall_On is linked to the domain root and enforced.
    firewall_off is linked to Domain\Offsite OU and enforced.

    When i run modelling, it tells me that the Domain-level enforced policy overrides.

    Do I need to turn on block inheritance or similar ?
    Please do show your appreciation to those who assist you by leaving Rep Point

  • #2
    Re: GPO order precedence

    Two things:

    1. Enforced trumps Block Inheritance.

    2. This article seems to suggest that in your scenario (two GPO's being enforced) that the GPO furthest from the client takes precedence.

    From the article:

    The Enforce setting is a property of the link between an Active Directory container and a GPO. It is used to force that GPO to all Active Directory objects within a container, no matter how deeply they are nested. The settings within a GPO that is enforced override other settings that would prevail because they are applied later. If there are conflicting settings in GPOs that are enforced at two levels of the hierarchy, the setting enforced furthest from the client prevails. This is a reversal of the usual rule, in which the setting from the nearest-linked GPO would prevail.


    • #3
      Re: GPO order precedence

      I wasn't using block-inheritance, although that was going to be my next step.... it seemed like it would be more administration to link multiple GPOs to the sub OUs.

      So instead, I removed the enforce rule at domain level and now things are working the way they should

      thanks for your help

      it is a bit counter-intuitive though isn't it
      Please do show your appreciation to those who assist you by leaving Rep Point


      • #4
        Re: GPO order precedence

        Glad to help.

        It is counter-intuitive, but its Microsoft so go figure.


        • #5
          Re: GPO order precedence

          In general, make sure only one enforced GPO is applied.

          ISTR (from some ancient training course) that enforcement just reapplies GPOs after others have finished, so reapplying in reverse order would give the behaviour you saw -- and explain how your solution worked.
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd

          ** Remember to give credit where credit is due and leave reputation points where appropriate **