Priority order for the application of GPOs

This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

The group policy management console (GPMC) integrates group policy functionality from a variety of Active Directory administrative tools into a single, unified console dedicated to group policy management tasks. One of the many useful features of GPMC is the ability to carry out group policy modelling, for example when diagnosing issues with GPO application.

Policies are applied in the following order:

  1. Local
  2. Site
  3. Domain
  4. Organizational unit (OU)
  5. Child OU
  6. [Child OU etc.]

When a container (site, domain or OU) has links to multiple GPOs, these can be assigned a link order to designate an order of precedence. Sounds straightforward enough, except that to me, the term “link order” suggests the order in which links to GPOs are applied – i.e. 1, then 2, then 3, etc. In that way, if GPO a (with link order 1) is overridden by a setting in GPO b (with link order 2), then GPO b (second to be applied) would be the winning GPO. Except that it doesn’t work that way!

Microsoft’s Group Policy Management Console Technical Reference provides a full description of how GPMC can be used, and provided me with a gem of information that seems to me totally illogical, but solved a problem I’ve been struggling with this afternoon:

“When a container has multiple GPO links, administrators can use GPMC to manipulate the link order for every container. GPMC assigns each link a link order number; the GPO link with link order of 1 has highest precedence on that container.”

The GPO with link order 1 has the highest priority – i.e it is applied last! I switched the policy link order and now the resultant set of policies is exactly the way I need it to be.

6 thoughts on “Priority order for the application of GPOs

  1. Mr Mark, whatever you have wrote is right upto some point and after that in the conclusion, it’s wrong and contradictory to truth.

    Please fix that or delete this mis-leading blog.

  2. I agree on the surface it does seem illogical.

    Everywhere I looked it said “with the lowest” but no one said “lowest” numerically or lowest in list order. It seems more intuitive if it went by list order but with MS GPO first means last.

    I’m sure there is a good reason for it being this way once your network gets big enough for ours is but a wee LAN and for our purposes the logic is backwards.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.