1

What happens if i linked one OU to multiple GPO ? and what happens if two of these GPOs are opposite functions ( allow / Deny ) for the same switch or function ?

3 Spice ups
2

Order/precedence takes over.

2 Spice ups
3

So how do we Order/precedence the GPOs , is it by creating or linking date and time, or it has a special sorting function ?

4

In the Group Policy administrative tool when an OU is selected in the left tree, there are tabs on the right side that allow you to specify the order in which policies are applied. As one policy is applied, it changes settings on the client systems, and as the next policy is applied then it too changes settings. Eventually, the final policy is applied, and of course its settings win.

There is also scoping involved within a particular policy. Select the policy in the tool to see the scoping.

1 Spice up
5

well technoetos, So in this way i can create multiple policies, and connect them all to an OU considering the order of them, and if there is any conflict the upper policy takes over and override the lower one !

one more thing to ask, if i have parent OU with some other OUs inside it, is GPO linking is active by default to the Child OUs that lets them inherit the parent OU policy ?

@roberthammond

6

Yes as long is the child OU does not have inheritance blocked.

2 Spice ups
7

Yes, inheritance is enabled by default, but this can be overridden as well.

1 Spice up
8

@A SH

I think technetos has answered your questions well, but I just wanted to recommend that you make use of the Group Policy Modelling wizard, as you seem unsure of exactly what applies where with GP.

The modelling wizartd will ask you for a user and/or computer and then show you which policies are being applied, and for each setting which policy is taking effect.

Very useful tool when working with GPO’s.

1 Spice up
9

Thank you Kenny, it is an great tool that explains and show the effective GPO and different settings, whatever it is for a user or computer.

10

EDIT: Ignore this post…I was mistaken… :frowning:

Yes, technetos has answered your questions, but I can’t leave well enough alone… :slight_smile:

It may be obvious, but I’ve seen folks mistake a higher precedence number to mean that a given GPO has higher priority. This isn’t the case. In the example below, there are two GPOs that are set to change the name of the local Administrator account. The local admin name will end up being “ImNotTellin” because it comes later in the precedence order.

Precedence - GPO

1 - Change local admin name to “SuperSecret”
2 - Set screensaver
3 - Disable Autorun
4 - Change local admin name to “ImNotTellin”

11

It would be SuperSecret.

The GPO with the Lower number wins out.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. **The GPO with the lowest link order is processed last, and therefore has the highest precedence.**
12

Consarn it, Justin! I hate it when I’m wrong!!

I would have sworn my first post was correct…thought I’d had a situation a year or so back that required setting the precedence the other way 'round.

Just tested it though, and alas, I was mistaken. @#$^*!%!

1 Spice up
13

You are thinking of Group Policy Preferences.

It starts from #1 and goes Down the list. Larger # taking effect last.

1 Spice up
14

Use the command line tools gpupdate and gpresult on a client as you are testing policies. Very helpful and the gpresult with verbose mode will help you see what is being applied/skipped and in what order.

1 Spice up