Windows Group Policy - Understanding the order of application for two GPOs: rules and challenges

Marco Lusardi 51 Reputation points
2023-11-23T16:37:24.15+00:00

Hi there.

I am having trouble understanding the order of application of two GPOs, in this article https://learn.microsoft.com/it-it/archive/blogs/musings_of_a_technical_tam/group-policy-basics-part-2-understanding-which-gpos-to-apply I found different way to change the order of application of GPOs, "The simple rule to remember is that the last GPO applied will overwrite any settings applied earlier".

The request should be simple:

I have a list of sites in Control Panel/Internet Properties/Security under both Local Intranet and Trusted Sites and I need to delete all these sites and then add a new list because I have found many sites that I want to remove.

To do this, I created two GPOs, one for the deletion of existing sites and one for the addition of new lists of sites.

GPO (A) to delete existing sites:

GPO path: User Configuration>Preferences>Windows Settings>Registry

Action: Delete HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

GPO (B) to add new sites:

GPO path: User Configuration>Policies>Administrative Templates>Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List (Sites are listed here)

I have linked the two GPOs to a specific OU containing a test computer (yes, there is a third policy to enable loopback processing mode).

When I apply just one of the two GPOs, it works. However, I want to apply both GPOs together to avoid forcing the user to log on multiple times, but when I enable both policies, when the user logs on to their computer, all locations in the ZoneMapKey are deleted.

The GPOs seem to be different, one deletes a registry key while the other configures a control panel item, so I am not sure if it is the "Linked Order" in "Linked Group Policy Objects", I tried changing the order but without sueccess. Also, I do not see this as a 'more restrictive GPO' problem, as the two GPOs work in two different ways, as I wrote above.

In addition to changing the order in 'Linked Order' to 'Linked Objects of Group Policy', I tried changing where I apply the GPOs, GPO (A) linked to the domain and GPO (B) linked to the computer OU, but still it did not work.

Thanks
Marco

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,077 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,606 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 34,191 Reputation points Microsoft Vendor
    2023-11-27T06:32:48.6233333+00:00

    Hi,

    You cannot apply both these GPOs because the GPO (B) modify the same registry value HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey as the GPO (A).

    https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.InternetExplorer::IZ_Zonemaps

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.