Order in which policies are applied

You can link Group Policy Objects throughout the hierarchical structure of the Active Directory environment. When you have different policies at different levels, they are applied in the following order unless you explicitly configure them to block inheritance or behave differently:

  • Local Group Policy Objects are applied first.
  • Site-level Group Policy Objects are applied in priority order.
  • Domain-level Group Policy Objects are applied in priority order.
  • Organizational Unit-level Group Policy Objects are applied in priority order down the hierarchical structure of your organization, so that the last Group Policy Object used in the one that applies to the Organizational Unit the user or computer resides in.

As this set of rules suggests, a Group Policy Object linked to a site applies to all domains at the site. A Group Policy Object applied to a domain applies directly to all users and computers in the domain and by inheritance to all users and computers in organizational units and containers farther down the Active Directory tree.

A Group Policy Object applied to an organizational unit applies directly to all users and computers in the organizational unit and by inheritance to all users and computers in its child organizational units.

You can modify the specific users and computers the GPO is applied to by choosing a different point in the hierarchy, blocking the default inheritance, using security groups to create Access Control Lists, or defining WMI filters.

Note:   There are four group policies (run command, sudo, crontab entries and Linux firewall) that can merge the lines of different group policies to a resulting group policy. For the policies to merge, the policy in each group policy must be enforced. Policies with higher precedence will be placed lower in the resulting multi-line policy. (Ref: CS-21048a)