12

What is the precedence for Enforeced GPOs, I can't really find any MS articles which give a refined answer.

My current understanding is as follows:

Lets say we have 5 GPO's - GPO1 through GP05. I will use an exam question to put into context. 

GPO    Linked to   Enforced
GP01 - contoso.com - No
GP02 - contoso.com - Yes
GP03 -    Site 1   - Yes
GP04 -     OU1     - No
GP05 -     OU1     - Yes

Now my understanding would mean they would apply in this order, from the first to apply to the last to apply (thus the one with most precedence).

GP01 -> GP04 -> GP05 -> GP02 -> GP03 (meaning 3 has the final say on any duplicates)

Am I correct in my understanding? Many thanks!

PnP
  • 1,684
  • 8
  • 39
  • 65
  • your "apply in this order" is right in terms of WHAT gets applied but not necessarily on WHEN that gpo gets sequenced. See my answer for clarification on that part. – TheCleaner May 24 '13 at 16:13

2 Answers2

17

I wrote about this here: http://myotherpcisacloud.com/post/2012/08/14/GPO-Application-Precedence-Just-Because-You-Can-Edition.aspx

TL;DR - The uppermost or parent GPO that is also enforced will win.

From Microsoft:

You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not enforced.

EDIT:

See here as well: GPO provides unexpected value

There it specifically states:

The Enforce setting is a property of the link between an Active Directory container and a GPO. It is used to force that GPO to all Active Directory objects within a container, no matter how deeply they are nested. The settings within a GPO that is enforced override other settings that would prevail because they are applied later. If there are conflicting settings in GPOs that are enforced at two levels of the hierarchy, the setting enforced furthest from the client prevails. This is a reversal of the usual rule, in which the setting from the nearest-linked GPO would prevail.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • 1
    So then it's correct, in the above instance, the GPO linked to the Site will indeed win. Thankyou. – PnP May 24 '13 at 15:18
  • TheD - Just to be clear, this is relevant for settings that are common to both GPO's. If you have settings in the OU linked GPO that aren't set in the Site linked GPO then those settings will be applied by the OU linked GPO. Only when there are common settings in both GPO's does enforcement hierarchy come into play. – joeqwerty May 24 '13 at 15:36
4

Ryan (and I :P ) answered the question on how 2 or more enforced GPOs are handled, but I wanted to clarify that while GPO3 linked to the site will "win", the OPs sequence of how they are applied isn't correct.

The OP states:

Now my understanding would mean they would apply in this order, from the first to apply to the last to apply (thus the one with most precedence).

GP01 -> GP04 -> GP05 -> GP02 -> GP03 (meaning 3 has the final say on any duplicates)

Remembering that:

enter image description here

As far as the sequence goes itself (including enforcement, but specifically the sequence order that the GPOs are looked at when processing):

GPO3 (with any of its settings enforced and taking precedence from here on out)

->

GPO1 or GPO2 (depending on link order at the domain level of these 2, with GPO2 being enforced except where GPO3 settings overrule because GPO3 is enforced at the site level)

->

GPO4 or GPO5 (depending on link order at the OU level of these 2, with GPO5 being enforced except where GPO2 or GPO3 settings overrule)

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • Sorry, but what is the order of processing then, like: GPOx -> GPOx, apologies but your explanation confused me just a little bit! – PnP May 24 '13 at 16:14
  • Lets say the link order hasn't been changed, so simply the GPO's are linked to the OU and Site .etc., what order are they processed in with regards to the first GPO to the last GPO. – PnP May 24 '13 at 16:15
  • The question itself says order them in the Order they will be applied to the client PC. Thanks! – PnP May 24 '13 at 16:16
  • I can't answer based on what a quiz WANTS the answer to be...but there is ALWAYS a link order when 2 or more GPOs are applied at a level even if you don't set one manually. You can see this in the GPMC looking at the "Linked GPOs" tab for whatever level you are on. GPOs are always processed in the ORDER that is in the pic I posted. That doesn't mean they will take precedence or apply, only that it is the order they are looked at when deciding. I've changed the "code" I posted to help clarify for you. – TheCleaner May 24 '13 at 16:19
  • My query is, you show that GP03 is actually processed first, but I thought those with the highest precedence and processed last hence have the final say on the Policy. – PnP May 24 '13 at 16:22
  • No, site GPOs get processed before domain or OU (as in the pic). So in your example GPO3 would be the start of the GPO settings sequence, but would also be flagged as "enforced" for its settings, so it would continue to be enforced as the GPO sequence continues on through the domain and OU levels. Think of it more as going GPO3 then at the domain level the settings say "enable this...oh wait GPO3 says disable it and is enforced, nevermind", continuing on to do the same at the OU level. – TheCleaner May 24 '13 at 16:26
  • To simplify and think in your terms...enforcing a single GPO doesn't mean "apply this last", it means "apply this in its sequence and then enforce it on any GPOs sequenced AFTER me". Hence a GPO enforced at a site level will take precedence over any GPOs "below" it (like JoeQwerty said, assuming same settings are being changed within the GPOs). It is the "reverse" of the norm, as I clarified in Ryan's answer. – TheCleaner May 24 '13 at 16:28
  • Thanks, this has cleared it up. Thanks again for your assistance! – PnP May 24 '13 at 16:29