GPO Appliance Order

GPO Appliance Order

Welcome to a series of seven short posts that will lay out all aspects of the GPO aka Group Policy Object – Microsoft’s framework for automated configuration of the Windows operating system.

Read the full article here or skip to the previous or next article using the link at the bottom of this post.

GPO Appliance Order

GPO appliance can be very confusing at first since a lot of configurations contribute to the final result of your GPO appliance order. We often see seasoned admins make mistakes in this area.

First of all:

Computer objects in AD receive computer settings (only) from GPO’s which are linked to the computer’s OU or parent OU’s.

User objects in AD receive user settings (only) from GPO’s which are linked to the user’s OU or parent OU’s.

Exceptions to this rule exist! Please read the entire section carefully!

A GPO can have it’s computer settings  or user settings disabled. Use this to speed up GPO processing on clients by disabling the computer settings of GPO’s that only hold user settings, vice versa. Disabling both computer and user settings will effectively disable the GPO.

Since multiple GPO’s can have conflicting settings and since even computer and user settings can sometimes configure the same setting, an important question arises:

What are the effective settings applied in the case of multiple, conflicting GPO’s?

First of all, you should avoid configuring conflicting settings in your GPO’s. But nevertheless these are the “basic” rules of GPO appliance:

  • GPO’s set with a lower link order (e.g. 1) on the same OU will override GPO’s set with a higher link order (eg. 3) on the same OU
  • GPO’s set at a lower level OU will override GPO’s set at a higher level OU

This basically means, the lower in your OU hierarchy you configure the GPO’s the more dominant they are (as they get applied last, thereby overwriting previously applied settings).

In the below example, the GPO with the highest link order will win over any conflicting settings in lower link order GPO’s:

GPO appliance order

Note! The order of the GPO’s below the domain object in the left-hand side are simply ordered alphabetically! You must look at the Link Order in the right-hand side.

In the below example, the GPO linked to the lower level OU (“Desktop Configuration”) will win over any conflicting settings in GPO’s linked on a higher level (closer to the domain object):

In addition to this, in the case of conflicting user and computer settings you should understand the following:

  • GPO computer settings get applied during system boot
  • GPO user settings get applied at user logon

Therefore, user settings will override any conflicting computer settings (as they get applied last).

To complicate things even further, the GPO appliance can be modified with the following:

  • Link disabled
  • No override
  • Block inheritance
  • Loopback processing
  • WMI filtering
  • Security filtering

Link disabled is when you disable the GPO link. The GPO is linked to the OU, but the link is disabled. In that case nothing get’s applied from the GPO. This is primarily used during testing.

No override means that settings in the GPO can’t be overridden by lower level GPO settings. This is normally used to keep lower level administrators from overriding enterprise settings.

Block inheritance is a feature of OU’s (not GPO’s) and ensures that GPO’s set at higher level OU’s are not applied to the computer or user objects in the OU (or sub-OU’s). Notice that no override takes precedence over block inheritance.

Loopback processing means that user settings from GPO’s affecting a computer gets applied to the computer object (normally only computer settings affect computers). Loopback processing comes in two flavors: Replace and Merge:

  • With Replace the user settings from the GPO’s affecting the user object are skipped entirely. This is useful in e.g. a terminal server environment where you don’t want random user GPO’s to mess up your terminal server.
  • With Merge the user settings from the GPO’s affecting the user are processed on top of the user settings from the GPO’s affecting the computer.

WMI filtering allows you to filter your targets with a WMI filter. A WMI filter can query anything in WMI e.g. operating system version, bios version, disk size, hardware type, etc. WMI filters are defined in the WMI Filters section in GPMC and once defined they can be added to your group policy in the scope tab of the policy.

Finally, GPO appliance can be modified by security filtering which is covered in the next section.