I had an interesting conversation the other day about GPOs and their precedence order. This is often a confusing topic that lead me to review the topic on TechNet for my benefit.
GPOs are based on ‘whoever writes last wins‘ so GPOs that are processed later have precedence over GPOs that are processed first.
GPO links are applied in reverse sequence based on link order. A GPO with Link Order 1 has highest precedence over other GPOs linked to that container. To change the precedence of a link by moving each link up or down in the list. Again, the link with the highest order (1 beign the highest order) has the higher precedence for a given site, domain or OU
Group Policy settings are processed in the following order:
- Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
- Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
- Domain—Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
- Organizational units—GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
You can block inheritance from a GPO for a domain or OU. Using block inheritance prevents GPOs that are linked to higher sites, domains or OUs from being inherited and applied by the child-level. By default child-level will inherit all GPOs from the parent. By selecting the Enforced option on a GPO you specify that the settings in that GPO should take precedence over the settings of any child object. Also GPOs that are Enforced cannot be blocked from the parent container with Block Inheritance. Without using Enforce on a higher level GPO (higher in the hierarchy) settings of GPOs on a parent level are overwritten by settings in GPOs linked to child OUs, if the GPOs contain conflicting settings.
GPO links set to enforce (no override) cannot be blocked.
The enforce and block inheritance options should be used sparingly. Casual use of these advanced features complicates troubleshooting.
Loopback processing is an advanced GPO setting that is useful on computers in certain environments, such as classrooms or kiosks. Setting the loopback causes the User configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in AD.
Loopback is controlled by the setting, User Group Policy loopback processing mode, which is located under Computer Configuration\Administrative Templates\System\Group Policy in GPMC.
Loopback can be set to Not configured, Enabled or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings.
As you cant apply GPOs to the default Users and the default Computers containers (where new users and computers that have just joined the domain first go) you can use the Redirusr.exe and Redircomp.exe tools to redirect all newly created user and/or computer accounts to a different default location of your choosing.