How Group Policies are Applied

Before you can configure any settings by enabling group policies, you must create or select a Group Policy Object where the policies will apply. You can link Group Policy Objects to a specific organizational unit, domain, or site in Active Directory.

To create a new Group Policy Object

Open the Group Policy Management console (gpmc.msc).
Select a domain, organizational unit, or site, right-click, then select Create a GPO in this domain, and Link it here.

You must have read and write permission to access the system volume of the domain controller and the right to modify the selected site, domain, or organizational unit.
Type a name and, optionally, select an existing Group Policy Object to use as a model for the new Group Policy Object, then click OK.

Alternatively, you can select a domain, organizational unit, or site in the Group Policy Management console, right-click, then select Link an Existing GPO to link an existing Group Policy Object—such as the Default Domain Policy—to the selected domain, organizational unit, or site. Note that you cannot link a Group Policy Object to generic containers—such as the default Users, Computers, or Domain Controllers containers—or to containers you create.

Once you link a Group Policy Object to an organizational unit, domain, or site, the specific policies you enable are applied when computers are rebooted, when users log on, or at the next update interval if you set policies to be periodically refreshed.

Order in which Policies are Applied

You can link Group Policy Objects throughout the hierarchical structure of the Active Directory environment. When you have different policies at different levels, they are applied in the following order unless you explicitly configure them to block inheritance or behave differently:

Local Group Policy Objects are applied first.
Site-level Group Policy Objects are applied in priority order.
Domain-level Group Policy Objects are applied in priority order.
Organizational Unit-level Group Policy Objects are applied in priority order down the hierarchical structure of your organization, so that the last Group Policy Object used in the one that applies to the Organizational Unit the user or computer resides in.

As this set of rules suggests, a Group Policy Object linked to a site applies to all domains at the site. A Group Policy Object applied to a domain applies directly to all users and computers in the domain and by inheritance to all users and computers in organizational units and containers farther down the Active Directory tree.

A Group Policy Object applied to an organizational unit applies directly to all users and computers in the organizational unit and by inheritance to all users and computers in its child organizational units.

You can modify the specific users and computers the GPO is applied to by choosing a different point in the hierarchy, blocking the default inheritance, using security groups to create Access Control Lists, or defining WMI filters.

There are four group policies (run command, sudo, crontab entries and Linux firewall) that can merge the lines of different group policies to a resulting group policy. For the policies to merge, the policy in each group policy must be enforced. Policies with higher precedence will be placed lower in the resulting multi-line policy. (Ref: CS-21048a)

How the Resulting Policy Set is Determined

The order in which Group Policy Objects apply is significant because, by default, policy applied later overwrites policy applied earlier for each setting where the later applied policy was either Enabled or Disabled. Settings that are Not Configured don’t overwrite anything — any Enabled or Disabled setting applied earlier is allowed to persist. You can modify this default behavior by forcing or preventing Group Policy Objects from affecting specific groups of users or computers, but in most cases, you should avoid doing so.

As an example, consider an organization with a single domain called arcade.com which is divided into the following top-level organizational units:

USA
Spain
Korea

Each of these may be divided into lower-level organizational units, indicating major departmental or functional groupings for the top-level organizational unit. For example, the USA organizational unit may be divided into CorporateHQ, Development, and Sales.

A computer placed in the CorporateHQ organizational unit might then have several different Group Policy Objects applied to it. For example, the arcade.com organization might have a default domain Group Policy Object that applies to all organizational units in the domain, and each organizational unit might also have its own Group Policy Object applied.

The following table illustrates the configuration settings for two computer configuration policies—Windows Update > Configure Automatic Updates and Windows Media Player > Prevent Desktop Shortcut Creation—for the Group Policy Objects applied to the example organization arcade.com.

GPO name	Linked to	Sample policy configuration settings
Default Domain Policy	arcade.com	Configure Automatic Updates: Enabled with Auto download and notify for install Prevent Desktop Shortcut Creation: Enabled
USA-Specific	USA	Configure Automatic Updates: Not Configured Prevent Desktop Shortcut Creation: Enabled
All Development	CorporateHQ	Configure Automatic Updates: Not Configured Prevent Desktop Shortcut Creation: Disabled

GPO name

Linked to

Sample policy configuration settings

Default Domain Policy

arcade.com

Configure Automatic Updates: Enabled with Auto download and notify for install

Prevent Desktop Shortcut Creation: Enabled

USA-Specific

USA

Configure Automatic Updates: Not Configured

Prevent Desktop Shortcut Creation: Enabled

All Development

CorporateHQ

Configure Automatic Updates: Not Configured

Prevent Desktop Shortcut Creation: Disabled

For example, if you were managing the default domain policies used in this example, you would:

Start Active Directory Users and Computers.
Right-click the domain, arcade.com, then click Properties.
Click the Group Policy tab.
Select the Default Domain Policy, then click Edit to open the Default Domain Policy in the Group Policy Object Editor.
Click Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates to Enabled and set the Auto download and notify for install update option and click OK.
Click Computer Configuration > Administrative Templates > Windows Components > Windows Media Player > Prevent Desktop Shortcut Creation to Enabled and click OK.

When all of the policies described in the table are applied in their default order, a computer in the CorporateHQ organizational unit would be configured with the following policy settings:

Configure Automatic Updates: Enabled with Notify for download and notify for install
Prevent Desktop Shortcut Creation: Disabled

The User Configuration policies applied in a Group Policy Object are also determined by the organizational unit in which a UNIX user is a member. For example, if you define separate User Configuration policies in a Group Policy Object linked to the USA organizational unit, you must also add the users to this organization unit for the policies to apply. For more information, see Applying Policies in Nested Organizational Units.