Group Policy processing and precedence

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy processing and precedence

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier.

Order of processing settings

This section provides details about the order in which Group Policy settings for users and computers are processed. For information about where the processing of policy settings fits into the framework of computer startup and user logon, see steps 3 and 8 in Startup and logon, in this topic.

Group Policy settings are processed in the following order:

  1. **Local Group Policy object—**Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.

  2. **Site—**Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

  3. **Domain—**Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

  4. **Organizational units—**GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

    At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

Exceptions to the default order of processing settings

The default order for processing settings is subject to the following exceptions:

  • A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.

  • A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.

  • An organizational unit or a domain may have Block Inheritance set. By default, Block Inheritance is not set.

For information about the above modifications to default behavior, see Managing inheritance of Group Policy.

Startup and logon

The following sequence shows the order in which computer policy and user policy are applied when a computer starts and a user logs on:

  1. Network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start. (Windows XP Professional is an exception to this rule. By default, on Windows XP Professional, Group Policy processing does not wait for the network to start. This default behavior can be changed by a policy setting.)

  2. An ordered list of GPOs is obtained for the computer. The list might depend on these factors:

    • Whether the computer is part of a domain and therefore subject to Group Policy through Active Directory.

    • The location of the computer in Active Directory.

    • Whether the list of Group Policy objects has changed. If the list of GPOs has not changed, no processing is done. You can use a policy setting to change this behavior.

    • Any enforcements/blocks set by the administrator. An administrator can set a policy at a higher level to always apply, a process called enforcement, previously known as no override. Alternatively, an administrator can set a container to block any policies from higher levels from applying. Note: A policy set by the administrator at a higher level to be enforced will continue to be applied even with a block from above set.

  3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. GPOs are applied in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No notification appears while computer policies are processed. Verbose logging to show notification of computer policies processed can be turned on via policy.

    For details about the order in which settings are processed when user or computer policy is applied, see Order of processing settings, in this topic.

  4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.

Note

  • Any version of Windows XP Professional provides a fast logon optimization feature. By default, computers with these operating systems do not wait for the network to start when they boot up. After logon, policy is processed in the background once the network is available. This means that at logon and startup, the computer will continue to use the earlier policy settings. Therefore, for settings that can only be applied at boot or logon (such as software installation and folder redirection) more than one logon can be required by the user after the initial change is made to the GPO. This policy is controlled by the setting in Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon. This feature is not available on versions of Windows 2000 or Windows 2003 Server.
  1. The user presses CTRL-ALT-DEL to log on.

  2. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.

  3. An ordered list of GPOs is obtained for the user. The list might depend on these factors:

    • Whether the user is part of a domain and therefore subject to Group Policy through Active Directory.

    • Whether loopback is enabled, and the state (Merge or Replace) of the loopback policy setting.

    • The location of the user in Active Directory.

    • Any enforcements/blocks set by the administrator. An administrator can set a policy at a higher level to always apply, a process called enforcement, previously known as no override. Alternatively, an administrator can set on a container to block any policies from higher levels from applying. Note: A policy set by the administrator at a higher level to be enforced will continue to be applied even with a block from above set.

  4. User policy is applied. These are the settings under User Configuration from the gathered list. GPOs are processed in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No notification appears while user policies are processed. (Notification can be turned on through policy.)

    For details about the order in which settings are processed when user or computer policy is applied, see Order of processing settings, in this topic.

  5. Logon scripts run. Unlike Windows NT 4.0 scripts, Group Policy–based logon scripts are hidden and asynchronous by default. The user object script runs last in a normal window. There is also a time-out on logon scripts.

  6. The operating system user interface that is prescribed by Group Policy appears.

Important

  • Three special cases deserve consideration during migration:

    • If the computer account object is in a Windows NT 4.0 domain and the user account object is in Active Directory, System Policy for the computer only (not user) is processed when the user logs on. Then, user (not computer) Group Policy is processed.

    • If the computer account object is in Active Directory and the user account object is in a Windows NT 4.0 domain, computer (not user) Group Policy is processed during computer startup. When the user logs on, System Policy for the user (not computer) is processed.

    • If the computer and user accounts of the computer are members of a Windows NT 4.0 domain, only System Policy (not Group Policy) for the computer and user is applied when the user logs on.

Note

  • Several of these events can be modified. You can set policies to:

    • Reverse the synchronized or asynchronized defaults for running script.

    • Specify when scripts time out. By default, scripts time out after 600 seconds.

    • Change whether scripts are run hidden, minimized, or in a normal window.

See Also

Concepts

Deployment considerations for Group Policy
Controlling the Scope of Group Policy Objects using GPMC