Group Policies' order of application

James Michael Stewart, Contributor

One or more group policies (GPOs) can be defined for each domain, site, and organizational unit (OUs) in a forest (that is, an entire Active Directory domain network). All of the GPOs can be managed from a Windows 2000 or Server 2003 domain controller system through the Active Directory Users and Computers utility as well as several others.

There is one local security policy for every local system that is running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional or Windows Server 2003. The local security policy can be managed directly only on the local system through the Administrative Tools link or via the MMC. When a Windows XP Professional system is a domain client, multiple GPOs may be applied to it in addition to its own local security policy.

Group policies are applied in the following order:

  1. Any existing legacy Windows NT 4.0 ntconfig.pol files are applied.
  2. Any unique local security policy is applied
  3. Any site group policies are applied.
  4. Any domain group policies are applied.
  5. Any organizational units (OU) group policies are applied.

One simple way to remember this order is LSDOU (local, site, domain, organizational unit). As long as you can remember that any legacy Windows NT 4.0 ntconfig.pol files are applied first, then LSDOU can help you keep track of the order of the remainder.

Do keep in mind that multiple GPOs can be applied at each Active Directory domain container level (site,

    Requires Free Membership to View

    Login

domain, and OU). Within each of these containers, there is a manually defined priority order of application. In the list of applicable GPOs, the bottom GPO is applied first and the top GPO is applied last. This means the top GPO has priority and overwrites any settings made by previously applied GPOs. This is a general principle of GPO application: the last GPO to be applied takes precedence over all previously applied GPOs. Group policies are applied upon startup and each time a user logs on. Group policies are refreshed every 90 minutes if there are any changes and every 16 hours if there are no changes.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in September 2004

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top