Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Group Policies' order of application

When security policies are being applied at the Group level, the order in which they are applied can be tricky. This tip provides a way to remember the order.

One or more group policies (GPOs) can be defined for each domain, site, and organizational unit (OUs) in a forest (that is, an entire Active Directory domain network). All of the GPOs can be managed from a Windows 2000 or Server 2003 domain controller system through the Active Directory Users and Computers utility as well as several others.

There is one local security policy for every local system that is running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional or Windows Server 2003. The local security policy can be managed directly only on the local system through the Administrative Tools link or via the MMC. When a Windows XP Professional system is a domain client, multiple GPOs may be applied to it in addition to its own local security policy.

Group policies are applied in the following order:

  1. Any existing legacy Windows NT 4.0 ntconfig.pol files are applied.
  2. Any unique local security policy is applied
  3. Any site group policies are applied.
  4. Any domain group policies are applied.
  5. Any organizational units (OU) group policies are applied.

One simple way to remember this order is LSDOU (local, site, domain, organizational unit). As long as you can remember that any legacy Windows NT 4.0 ntconfig.pol files are applied first, then LSDOU can help you keep track of the order of the remainder.

Do keep in mind that multiple GPOs can be applied at each Active Directory domain container level (site, domain, and OU). Within each of these containers, there is a manually defined priority order of application. In the list of applicable GPOs, the bottom GPO is applied first and the top GPO is applied last. This means the top GPO has priority and overwrites any settings made by previously applied GPOs. This is a general principle of GPO application: the last GPO to be applied takes precedence over all previously applied GPOs. Group policies are applied upon startup and each time a user logs on. Group policies are refreshed every 90 minutes if there are any changes and every 16 hours if there are no changes.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Dig Deeper on Windows systems and network management