Group policy precedence question

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Trying to wrap my head around Group Policy, and have this question:

Let’s assume there is an OU that has both computer and user objects in it. The following GPOs are linked to this OU:

• GPO-computer: this GPO has both computer config and user config settings enabled. The User Configuration setting that has been enabled is “Remove My Documents icon on the desktop”

• GPO-user: this GPO has the User Configuration setting “Remove My Documents icon the desktop” disabled

Let’s also assume in GPO-computer that the Computer Configuration setting “User Group Policy loopback processing mode” is not configured.

So, GPO-computer should apply to the computer objects in the OU, and GPO-user should apply to the user objects in the OU.

I assume then, that any user logging onto any of the computers targeted by GPO-computer will be affected by the user configured policy settings in GPO-computer, correct?

Therefore, there is a conflict; the users will receive policy from both GPO-computer and GPO-user; one policy will remove My Documents icon from the desktop, the other prevents this from happening.

Which user policy setting takes precedence?

 

I believe computer policies take priorty over user gpo.

 

With the loopback policy disabled, i'd have thought the user configuration would take precedence over the computer configuration?

 

It's whatever policy has the higher precedence (you can change the precedence of a policy at the same ou), by default its the policy that was created first as it will be applied last, unless the newer policy has been enforced.

 

The op states the both settings are at the user settings, its just the name of the polices (computer, user) that may be confusing the issue.

 

GPO-computer will apply the computer and user settings, as will GPO-user. Its because the computers and the users are in the same OU. If they conflict, then whatever has higher precedence will win.

 

You could be right. It had slipped my mind that multiple GPOs applied to an object will appear in order of precedence, and that the order of the GPOs can be changed to suit. So if GPO-Computer appears higher up the list than GPO-User, it will be applied last and its settings will have precedence if there are any conflicts with other GPOs.

 

Yeah, I got it the wrong way round

 

I thought the question was if it was a single policy with a computer configuration and user configuration setting that conflicted rather than 2 different gpos?

edit: Just re-read your post and it is 2 different gpos, my mistake, i blame posting from my iphone.

 

Who let you out the cage?

We all have our off days lol

 

Both GPOs will be read and processed by both accounts (unless security permissions or filtering were in play)

Generally when a domain computer boots it runs through applying all the computer policies at startup, it reads both user and computer settings but only generally applies computer settings (unless loopback mode is enabled)

The user account will do the same when it logs in, reads both accounts, what it will check is its order of processing for that OU, and apply the last instance of that setting (eg if 2 GPO's have the same setting one is listed as having an order number of 1, then that will run first, then one has an order number of 5, than that one with lorder of 1 should contain the setting that is used as it has higher prcedence)

OR You could use RSOP or the modelling tool in the GPMC to find out which would take precedence

Generally it is much better design to keep user and computer objects apart (for instance you can save logon processing time by disabling uneeded computer and user properties, and future management will be so much easier), but AD is flexible enough to cater for this layout.

 

Download the group policy management software from Microsoft, an excellent tool to manage group policy which include backing up and tell the lowdown on which policy teke precedence.

Here.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en