GPO Enforced Precedence

active-directorygroup-policy

What is the precedence for Enforeced GPOs, I can't really find any MS articles which give a refined answer.

My current understanding is as follows:

Lets say we have 5 GPO's – GPO1 through GP05. I will use an exam question to put into context. 

GPO    Linked to   Enforced
GP01 - contoso.com - No
GP02 - contoso.com - Yes
GP03 -    Site 1   - Yes
GP04 -     OU1     - No
GP05 -     OU1     - Yes

Now my understanding would mean they would apply in this order, from the first to apply to the last to apply (thus the one with most precedence).

GP01 -> GP04 -> GP05 -> GP02 -> GP03 (meaning 3 has the final say on any duplicates)

Am I correct in my understanding? Many thanks!

Best Answer

I wrote about this here: http://myotherpcisacloud.com/post/2012/08/14/GPO-Application-Precedence-Just-Because-You-Can-Edition.aspx

TL;DR - The uppermost or parent GPO that is also enforced will win.

From Microsoft:

You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not enforced.

EDIT:

See here as well: GPO provides unexpected value

There it specifically states:

The Enforce setting is a property of the link between an Active Directory container and a GPO. It is used to force that GPO to all Active Directory objects within a container, no matter how deeply they are nested. The settings within a GPO that is enforced override other settings that would prevail because they are applied later. If there are conflicting settings in GPOs that are enforced at two levels of the hierarchy, the setting enforced furthest from the client prevails. This is a reversal of the usual rule, in which the setting from the nearest-linked GPO would prevail.

Related Topic