GPO Processing order

cashewcashew Member Posts: 122
The way that GPOs are processed are Local, Site, Domain, and OU. Lets say that at the site level I have an option set and at the OU level I have an option set. Since the options don't conflict each other are both applied, or does the OU GPO totally wipe out the domain OU?
«1

Comments

  • royalroyal Member Posts: 3,353
    Both are applied due to Group Policy's cumulative nature. The higher precedented Group Policy applies. So for instance:

    Site Level GPO.
    Setting #1 - Allow Option A
    Setting #2 - Deny Option B

    OU Level GPO
    Setting #1 - Not Defined
    Setting #2 - Allow Option B

    Net Result for object in OU
    Setting #1 - Allow Option A
    Setting #2 - Allow Option B

    The Not Defined setting basically means, allow lower precedented group policy settings to flow through. There are caveats, however. For example, Block Inheritance and No Override.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • cashewcashew Member Posts: 122
    Thats' what I thought, but what about this. Correct me if I'm wrong, but lets say a PC is in an OU and a user is in a different OU. There is a GPO linked to the PC OU that has user settings defined. The GPO linked to the user OU has its own settings defined. Unless loopback processing is enabled, the user settings will have precedence over the computer settings when that user logs on? Then back to the first question, where if the settings on both OU's don't conflict, they will be both applied?
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    cashew wrote:
    Thats' what I thought, but what about this. Correct me if I'm wrong, but lets say a PC is in an OU and a user is in a different OU. There is a GPO linked to the PC OU that has user settings defined.
    User settings in a GPO that are applied to an OU that only has computers will not be processed anyway - unless loopback processing is in use. If the user himself is in that OU, then yes. Otherwise the user settings will be ignored, since the object is a computer. Example:

    User1 is in the OU called Sales.
    His laptop is named mobile1, and is an OU called Laptops.

    The OU Sales contains only user objects.
    The OU Laptops contains only computer objects.

    No matter what "computer" settings you define in the Sales OU GPO, they will have no effect since there are no computer objects to apply them to.

    No matter what "user" settings you define in the Laptops OU GPO, they will have no effect since there are no user objects to apply them to - unless using Loopback processing.

    cashew wrote:
    Then back to the first question, where if the settings on both OU's don't conflict, they will be both applied?

    Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last.
    All things are possible, only believe.
  • cashewcashew Member Posts: 122
    What if loopback processing is enabled for an OU that has only computers in it. On that computers OU there are user settings defined. When a user logs on to the computer, the user settings from the computers OU are applied to the user, and the action is dependant on merge or replace mode? Merging af the settings don't conflict and replacing if they do?
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    cashew wrote:
    What if loopback processing is enabled for an OU that has only computers in it. On that computers OU there are user settings defined. When a user logs on to the computer, the user settings from the computers OU are applied to the user, and the action is dependant on merge or replace mode? Merging af the settings don't conflict and replacing if they do?

    That is correct.
    "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

    -- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
    All things are possible, only believe.
  • cashewcashew Member Posts: 122
    Almost finished with the MSPress, but ran across another question. Lets say that a user is in an OU. Lets say he's a member of a group that is in a different OU. When that user logs on, is the GPO for him and the GPO for the group run? If not, what if the group is in the same OU as the user?
  • royalroyal Member Posts: 3,353
    Group Policies don't apply to groups. They ONLY apply to users and computers; hence the user configuration and computer configuration sections in a GPO. You can filter by groups, but that is only if the user object or computer object is in that OU. If they are not, then filtering cannot happen. If the user object is in an OU, it then checks the filter to see if it should apply to a specific user/group.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Exactly what Royal said.
    You can try it yourself in a home lab by creating an OU and place only groups in it. Then create a GPO linked to that OU that runs a logon script, turns on a screensaver and a few other obvious changes. Then, log on as a user that is a member of that group and watch as abosolutely nothing happens. icon_lol.gif
    All things are possible, only believe.
  • cashewcashew Member Posts: 122
    sprkymrk wrote:

    Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last.

    I created an OU and added a user account and computer account. I set the computer policy to disallow messenger to enable and set the user to disallow messenger to disable. When I refreshed I was unable to run messenger? I thought that the user settings would override since loopback wasn't enabled?
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    cashew wrote:
    sprkymrk wrote:

    Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last.

    I created an OU and added a user account and computer account. I set the computer policy to disallow messenger to enable and set the user to disallow messenger to disable. When I refreshed I was unable to run messenger? I thought that the user settings would override since loopback wasn't enabled?

    There is a "note" on the explanation of that computer policy that states:
    Note: This setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configuration version of this setting takes precedence.

    Now I'm not sure if that's a special case or if my original information was incorrect. I'll check it out.
    All things are possible, only believe.
  • royalroyal Member Posts: 3,353
    I always thought that user configuration wins unless it either states that the computer setting will take precedence or in cases such as loopback. After seeing the following comment, I'm not so sure about that:

    From: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsec_pol_blsa.mspx?mfr=true
    In most cases policy settings specified in the Computer Configuration node have precedence over the same setting if one exists in the User Configuration node.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    royal wrote:
    I always thought that user configuration wins unless it either states that the computer setting will take precedence or in cases such as loopback. After seeing the following comment, I'm not so sure about that:

    From: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsec_pol_blsa.mspx?mfr=true
    In most cases policy settings specified in the Computer Configuration node have precedence over the same setting if one exists in the User Configuration node.

    Good find royal. I suppose that despite the user policy being applied last, computer settings seem to have precedence. Weird. icon_confused.gif
    All things are possible, only believe.
  • cashewcashew Member Posts: 122
    Well at least I know the actual function so when it comes to applying this on the job, I know what to do. However, right now I want to make sure that 294 knows the real truth. So after doing some more research, if you look at any other GPO setting that involves computer and user settings (windows movie maker for example) with the same option, each one has note saying that it both are configured that computer configuration takes precedence. If you have the MSPress for 294, goto page 10-16 and look at the note at the bottom of the page. It reads:

    "If there is a conflict between the computer configuration settings and the user configuration settings, the user configuration settings are applied becasue the user settings are more specific."

    Microsoft needs to make up its mind. This isn't the first occurrence I've run across in my MCSE studies. I remember 3 or 4 off the top of my head when I was studying 284 and how MS contradicts it self on numerous occasions.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    That's what makes it so much fun! icon_lol.gif
    All things are possible, only believe.
  • cashewcashew Member Posts: 122
    Well, just finished MSPress and CBT Nuggets so I'm going to order the transcenders. Interested to see how the questions handle this topic. I will post if I run across some more drama on this issue.
  • mr2nutmr2nut Member Posts: 269
    What is the difference between block inheritence and no override by the way? They sound like they do very similar things.
  • mr2nutmr2nut Member Posts: 269
    Also, do GPOs work in alphabetical order? If not, how do they determine which applies first?
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    mr2nut wrote:
    What is the difference between block inheritence and no override by the way? They sound like they do very similar things.

    They do opposite things. You can think of "no override" as "force inheritance." Suppose you delegate control over an OU to someone, but you do not want them to override a setting you set at the domain level.
    mr2nut wrote:
    Also, do GPOs work in alphabetical order? If not, how do they determine which applies first?

    They are applied in this order: Local > Domain > Site > OU

    If one has multiple GPOs, you can move them up or down in the list to set the order in which they are applied.
  • royalroyal Member Posts: 3,353
    dynamik wrote:
    If one has multiple GPOs, you can move them up or down in the list to set the order in which they are applied.

    And the one at top of the list wins.

    This is important if you're doing something like WMI filtering with 2000 machines. Since 2000 machines don't apply WMI filtering, you can trick it by placing the Windows 2000 GPO on top and the XP GPO 2nd in the list. You then apply a GPO filter so that the top GPO only applies to Windows 2000. Since XP will see this WMI filter, it'll skip the top one and apply the second one. Since 2000 can't see the WMI filter, it'll automatically just apply the first one.

    So the processing in the actual list is important. :)
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • mr2nutmr2nut Member Posts: 269
    dynamik wrote:
    mr2nut wrote:
    What is the difference between block inheritence and no override by the way? They sound like they do very similar things.

    They do opposite things. You can think of "no override" as "force inheritance." Suppose you delegate control over an OU to someone, but you do not want them to override a setting you set at the domain level.
    mr2nut wrote:
    Also, do GPOs work in alphabetical order? If not, how do they determine which applies first?

    They are applied in this order: Local > Domain > Site > OU

    If one has multiple GPOs, you can move them up or down in the list to set the order in which they are applied.

    Cheers. I understand the order in the respect of local>domain>site>ou. But lets say you have three OUs for clients, fileservers and servers. Clients appears in the list before fileserver, so does the servers OU inherit the default domain policy, then settings from clients, then fileservers, or do OUs completely ignore other policies and only GPOs applied directly into the OU?
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    mr2nut wrote:
    Cheers. I understand the order in the respect of local>domain>site>ou. But lets say you have three OUs for clients, fileservers and servers. Clients appears in the list before fileserver, so does the servers OU inherit the default domain policy, then settings from clients, then fileservers, or do OUs completely ignore other policies and only GPOs applied directly into the OU?

    The LDSOU order is how settings are applied and inherited. You can modify inheritance with the options we discussed earlier. A setting that is defined in multiple place is overwritten by the one applied later, otherwise its simply inherited from where it was applied.

    I don't understand your OU example. Unless they're nested, the GPOs linked to them aren't going to affect any of the others.
  • mr2nutmr2nut Member Posts: 269
    I get it now. I was under the impression that say for example you have the following...



    default domain policy
    -Client OU
    -Server OU


    I was under the impression that Client OU would inherit just the default domain policy. Then the Server OU would inherit the default domain policy, AND any settings in the Client OU as it was above the Server OU, but i've now figured out that they will only both just inherit the default domain policy and any other settings applied using only the GPO attached to its OU.
  • NetAdmin2436NetAdmin2436 Member Posts: 1,076
    wrote:
    Local > Domain > Site > OU

    The LDSOU order was mentioned a few times in the thread (and if I'm not mistaken here) it should actually be LSDOU and hence applied in this order:
    Local > Site > Domain > OU

    Group Policy processing and precedence: Group Policy
    WIP: CCENT/CCNA (.....probably)
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    +1

    Don't listen to that other guy icon_redface.gif
  • UncleCidUncleCid Member Posts: 66 ■■□□□□□□□□
    dynamik wrote: »
    +1

    Don't listen to that other guy icon_redface.gif

    lol, late night? ;)
  • genXrcistgenXrcist Member Posts: 531
    royal wrote: »
    And the one at top of the list wins.

    This is important if you're doing something like WMI filtering with 2000 machines. Since 2000 machines don't apply WMI filtering, you can trick it by placing the Windows 2000 GPO on top and the XP GPO 2nd in the list. You then apply a GPO filter so that the top GPO only applies to Windows 2000. Since XP will see this WMI filter, it'll skip the top one and apply the second one. Since 2000 can't see the WMI filter, it'll automatically just apply the first one.

    So the processing in the actual list is important. :)

    Hold on, I thought the GPO's were applied from the lowest priority to the highest, with the conflicts going to the sequential GPO with a higher priority? In this case, the XP machine will process GPO2 and then skip GPO1 but the W2K machine will process both GPO's.

    Correct?
    1) CCNP Goal: by August 2012
  • undomielundomiel Member Posts: 2,818
    True. You would want to reverse the order so that on the 2000 machine the XP GPO is overwritten by the 2000 GPO.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • genXrcistgenXrcist Member Posts: 531
    undomiel wrote: »
    True. You would want to reverse the order so that on the 2000 machine the XP GPO is overwritten by the 2000 GPO.

    Forgive me but I don't understand how reversing the priority order causes the 2K GPO to overwrite the XP GPO?
    1) CCNP Goal: by August 2012
  • undomielundomiel Member Posts: 2,818
    Well I will admit this was working off the assumption that they are modifying the same setting, in which case the last applied GPO (2000) is what takes precedence e.g. "overwrites". Precedence is probably a better word for it, I just always use overwrites in my head.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • genXrcistgenXrcist Member Posts: 531
    undomiel wrote: »
    Well I will admit this was working off the assumption that they are modifying the same setting, in which case the last applied GPO (2000) is what takes precedence e.g. "overwrites". Precedence is probably a better word for it, I just always use overwrites in my head.

    Ahhhh! I just had my 'A-Ha' moment. :) Thanks!
    1) CCNP Goal: by August 2012
Sign In or Register to comment.