GPO provides unexpected value

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic explains common causes for unexpected GPO values due to GPO precedence, inheritance, and related scope of management issues.

Causes

  • Conflict resolution applies to individual settings, not to entire GPOs. It could easily happen that one setting in a GPO encounters a conflict but all other settings in that GPO are applied.

  • The GPO with the lowest link number prevails over other GPOs that the same site, domain or OU is linked to. You can use GPMC to change the order of links for a specific site, domain, or OU. (The links are a property of the site, domain, or OU; they are not a property of the GPO.)

  • If a Group Policy link is disabled the GPO will not apply to users or computers within the container to which that GPO is linked.

  • The Enforce setting is a property of the link between an Active Directory container and a GPO. It is used to force that GPO to all Active Directory objects within a container, no matter how deeply they are nested. The settings within a GPO that is enforced override other settings that would prevail because they are applied later. If there are conflicting settings in GPOs that are enforced at two levels of the hierarchy, the setting enforced furthest from the client prevails. This is a reversal of the usual rule, in which the setting from the nearest-linked GPO would prevail.

The actual effect of Enforce is to change the order of processing. The settings in an Enforced GPO are processed after all other GPOs settings are processed.

  • The Block Inheritance setting applies to an entire Active Directory container. It blocks the inheritance of all GPOs except for those for which the link from the parent Active Directory object to the GPO has the Enforce setting enabled.

  • Administrators who have set Block Inheritance on their domain or OU can still make explicit links to GPOs elsewhere in the domain, including GPOs that might otherwise be inherited. (Domains do not inherit GPOs from parent domains.) When Block Inheritance is applied at a domain level, it blocks GPOs that are linked to sites.

Solutions

Perform the following procedures to resolve this issue.

To view or change precedence order of GPOs

  1. Open GPMC and click any site, domain, or organizational unit node.

  2. Click the Group Policy Inheritance tab and examine the precedence order of the GPOs. Within each domain, site, and organizational unit, the link order controls when links are applied.

  3. To change the precedence of a link, you can change the link order, moving each link up or down in the list to the appropriate location. The link with the higher order (with 1 being the highest order) has the higher precedence for a given site, domain, or organizational unit. For example, if you add six GPO links and later decide that you want the last one that you added to have highest precedence, you can move the GPO link to the top of the list.

To check GPO links

  1. In GPMC, select the GPO you are troubleshooting, and then click the Scope tab. You will see the containers that are linked to the GPO and the status of those links.

  2. To change the status of a link, click the Details tab, and then in GPO Status, choose an option. You can enable all settings, disable only computer settings, or disable only user settings.