How the resulting policy set is determined

The order in which Group Policy Objects apply is significant because, by default, policy applied later overwrites policy applied earlier for each setting where the later applied policy was either Enabled or Disabled. Settings that are Not Configured don’t overwrite anything — any Enabled or Disabled setting applied earlier is allowed to persist. You can modify this default behavior by forcing or preventing Group Policy Objects from affecting specific groups of users or computers, but in most cases, you should avoid doing so.

As an example, consider an organization with a single domain called arcade.com which is divided into the following top-level organizational units:

  • USA
  • Spain
  • Korea

Each of these may be divided into lower-level organizational units, indicating major departmental or functional groupings for the top-level organizational unit. For example, the USA organizational unit may be divided into CorporateHQ, Development, and Sales.

A computer placed in the CorporateHQ organizational unit might then have several different Group Policy Objects applied to it. For example, the arcade.com organization might have a default domain Group Policy Object that applies to all organizational units in the domain, and each organizational unit might also have its own Group Policy Object applied.

The following table illustrates the configuration settings for two computer configuration policies—Windows Update > Configure Automatic Updates and Windows Media Player > Prevent Desktop Shortcut Creation—for the Group Policy Objects applied to the example organization arcade.com.

GPO name Linked to Sample policy configuration settings

Default Domain Policy

arcade.com

Configure Automatic Updates: Enabled with Auto download and notify for install

Prevent Desktop Shortcut Creation: Enabled

USA-Specific

USA

Configure Automatic Updates: Not Configured

Prevent Desktop Shortcut Creation: Enabled

All Development

CorporateHQ

Configure Automatic Updates: Not Configured

Prevent Desktop Shortcut Creation: Disabled

For example, if you were managing the default domain policies used in this example, you would:

  1. Start Active Directory Users and Computers.
  2. Right-click the domain, arcade.com, then click Properties.
  3. Click the Group Policy tab.
  4. Select the Default Domain Policy, then click Edit to open the Default Domain Policy in the Group Policy Object Editor.
  5. Click Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates to Enabled and the set the Auto download and notify for install update option and click OK.
  6. Click Computer Configuration > Administrative Templates > Windows Components > Windows Media Player > Prevent Desktop Shortcut Creation to Enabled and click OK.

When all of the policies described in the table are applied in their default order, a computer in the CorporateHQ organizational unit would be configured with the following policy settings:

  • Configure Automatic Updates: Enabled with Notify for download and notify for install
  • Prevent Desktop Shortcut Creation: Disabled

The User Configuration policies applied in a Group Policy Object are also determined by the organizational unit in which a UNIX user is a member. For example, if you define separate User Configuration policies in a Group Policy Object linked to the USA organizational unit, you must also add the users to this organization unit for the policies to apply. For more information, see Applying policies in nested organizational units.