Skip to main content Show
This browser is no longer supported. Nội dung chính Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Group Policy Hierarchy
In this articleBy default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container. GPOs are processed in the following order:
Note The order in which GPOs are processed is significant because when policy is applied, it overwrites policy that was applied earlier. By convention, computer-related policy settings override user-related policy settings. For more information, see Overriding and Blocking Group Policy, Filtering the Scope of a GPO, and Applying Group Policy. Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. Microsoft provides a program snap-in that allows you to use the Group Policy Management Console (GPMC). The selections result in a Group Policy Object. The GPO is associated with selected Active Directory containers, such as sites, domains or organizational units (OU). The GPMC allows you to create a GPO that defines registry-based polices, security options, software installation and maintenance options, scripts options and folder redirection options. Types of GPOsThere are three types of GPOs: local, non-local and starter.
Data Security and Group Policy ObjectThere are some Group Policy settings that can help secure a company’s network. For example, through Group Policy, an organization can run scripts, stop users from accessing certain resources and perform simple tasks, such as forcing a particular home page to open for every network user. Some of these security measures include:
Benefits of Group Policy ObjectsThere are several benefits to implementing GPOs in addition to security, including:
Limitations of GPOsThe limitations of Group Policy Objects include:
Processing order of GPOsThe processing order of Group Policies effects what settings are applied to the computer or end-user. This processing order is known as LSDOU: local, site, domain, organization unit. First the local computer policy is processed, followed by Active Directory policies from site level to domain, then into OU (GPOs in nested organizational units apply from the OU closest to the root first, and continues from there). If there are any conflicts, the last applied policy will take effect. Examples of GPOsThe following are examples of Group Policy Objects:
Best practicesSome best practices for GPOs include:
This was last updated in September 2019 Continue Reading About Group Policy Object (GPO)
Dig Deeper on IT operations and infrastructure management
How are GPOs processed?Each GPO is linked to an Active Directory container in which the computer or user belongs. By default, the system processes the GPOs in the following order: local, site, domain, then organizational unit. Therefore, the computer or user receives the policy settings of the last Active Directory container processed. When multiple GPOs are linked to a container which GPO in the list has the highest priority?If you have more than one GPO linked to an OU then the processing order of these GPOs is determined by what is known as the link order. The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc. What GPO policy will take precedence over all other GPO policies when they are being applied?The order is site, domain, OU, and child OUs. As a result, GPOs in child OUs have a higher precedence than GPOs linked to parent OUs, which have a higher precedence than GPOs linked to the domain, which have a higher precedence than GPOs linked to the site. Which GPO takes precedence local or domain?Local GPO take precedence over Domain GPO. Which of the following local GPOs have highest precedence on a system with multiple local GPO?If you have more than one GPO linked to an OU then the processing order of these GPOs is determined by what is known as the link order. The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.
In which order are group policy objects GPOs processed?When multiple Group Policy Objects are linked to a single AD container, they are processed in order of link, starting from the highest link order number to lowest; setting in the lowest link order GPO take effect. Thus, the setting in all the applicable policies are evaluated in order.
Which GPO takes precedence local or domain?Local GPO take precedence over Domain GPO.
What GPO policy will take precedence over all other GPO policies when they are being applied?The order is site, domain, OU, and child OUs. As a result, GPOs in child OUs have a higher precedence than GPOs linked to parent OUs, which have a higher precedence than GPOs linked to the domain, which have a higher precedence than GPOs linked to the site.
|