CertForums.com IT Certification Forum Homepage
Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Group policy precedence question

You are viewing a topic in the Active Directory Exams forum part of the Microsoft Certification Forums category.

  • Share:
  1. #1
    Byte Poster
    Posts
    89
    Join Date
    11 Nov 2009
    Liked
    0 times
    Rep Power
    4

    Group policy precedence question

    Trying to wrap my head around Group Policy, and have this question:

    Let’s assume there is an OU that has both computer and user objects in it. The following GPOs are linked to this OU:

    • GPO-computer: this GPO has both computer config and user config settings enabled. The User Configuration setting that has been enabled is “Remove My Documents icon on the desktop”

    • GPO-user: this GPO has the User Configuration setting “Remove My Documents icon the desktop” disabled


    Let’s also assume in GPO-computer that the Computer Configuration setting “User Group Policy loopback processing mode” is not configured.

    So, GPO-computer should apply to the computer objects in the OU, and GPO-user should apply to the user objects in the OU.

    I assume then, that any user logging onto any of the computers targeted by GPO-computer will be affected by the user configured policy settings in GPO-computer, correct?

    Therefore, there is a conflict; the users will receive policy from both GPO-computer and GPO-user; one policy will remove My Documents icon from the desktop, the other prevents this from happening.

    Which user policy setting takes precedence?

  2. Posts
    666
    Join Date
    6 June 2003
    Location
    Somewhere in Germany
     

  3. #2
    Moderator Sparky's Avatar
    Posts
    9,940
    Join Date
    15 Dec 2005
    Location
    Scotland
    Liked
    61 times
    Rep Power
    98
    Computer policy applied first (when the PC boots up). Then the user policy is applied when the user logs on (if the user object is in the same OU).

  4. #3
    Petabyte Poster craigie's Avatar
    Posts
    3,020
    Join Date
    05 May 2008
    Age
    37
    Liked
    64 times
    Rep Power
    49
    I believe computer policies take priorty over user gpo.

  5. #4
    Moderator Sparky's Avatar
    Posts
    9,940
    Join Date
    15 Dec 2005
    Location
    Scotland
    Liked
    61 times
    Rep Power
    98
    Quote Originally Posted by craigie View Post
    I believe computer policies take priorty over user gpo.
    Do you not need to add loopback for that?

    Been a while since I've done any GPO work...

  6. #5
    Megabyte Poster
    Posts
    254
    Join Date
    16 Feb 2009
    Location
    Grantham
    Age
    31
    Liked
    0 times
    Rep Power
    6
    With the loopback policy disabled, i'd have thought the user configuration would take precedence over the computer configuration?

  7. #6
    Moderator Sparky's Avatar
    Posts
    9,940
    Join Date
    15 Dec 2005
    Location
    Scotland
    Liked
    61 times
    Rep Power
    98
    Quote Originally Posted by simonp83 View Post
    With the loopback policy disabled, i'd have thought the user configuration would take precedence over the computer configuration?
    Yup, thats what I thought. Would need to test it out to be sure though.

  8. #7
    Megabyte Poster DC Pr0Mo's Avatar
    Posts
    265
    Join Date
    01 Jan 2009
    Location
    North Ayrshire
    Country
    Scotland Country Flag
    Liked
    1 times
    Rep Power
    6
    Quote Originally Posted by xmojo View Post
    Trying to wrap my head around Group Policy, and have this question:

    Let’s assume there is an OU that has both computer and user objects in it. The following GPOs are linked to this OU:

    • GPO-computer: this GPO has both computer config and user config settings enabled. The User Configuration setting that has been enabled is “Remove My Documents icon on the desktop”

    • GPO-user: this GPO has the User Configuration setting “Remove My Documents icon the desktop” disabled


    Let’s also assume in GPO-computer that the Computer Configuration setting “User Group Policy loopback processing mode” is not configured.

    So, GPO-computer should apply to the computer objects in the OU, and GPO-user should apply to the user objects in the OU.

    I assume then, that any user logging onto any of the computers targeted by GPO-computer will be affected by the user configured policy settings in GPO-computer, correct?

    Therefore, there is a conflict; the users will receive policy from both GPO-computer and GPO-user; one policy will remove My Documents icon from the desktop, the other prevents this from happening.

    Which user policy setting takes precedence?
    It's whatever policy has the higher precedence (you can change the precedence of a policy at the same ou), by default its the policy that was created first as it will be applied last, unless the newer policy has been enforced.

  9. #8
    Megabyte Poster DC Pr0Mo's Avatar
    Posts
    265
    Join Date
    01 Jan 2009
    Location
    North Ayrshire
    Country
    Scotland Country Flag
    Liked
    1 times
    Rep Power
    6
    Quote Originally Posted by simonp83 View Post
    With the loopback policy disabled, i'd have thought the user configuration would take precedence over the computer configuration?
    The op states the both settings are at the user settings, its just the name of the polices (computer, user) that may be confusing the issue.

  10. #9
    Megabyte Poster DC Pr0Mo's Avatar
    Posts
    265
    Join Date
    01 Jan 2009
    Location
    North Ayrshire
    Country
    Scotland Country Flag
    Liked
    1 times
    Rep Power
    6
    Quote Originally Posted by xmojo View Post


    So, GPO-computer should apply to the computer objects in the OU, and GPO-user should apply to the user objects in the OU.
    GPO-computer will apply the computer and user settings, as will GPO-user. Its because the computers and the users are in the same OU. If they conflict, then whatever has higher precedence will win.

  11. #10
    Byte Poster
    Posts
    89
    Join Date
    11 Nov 2009
    Liked
    0 times
    Rep Power
    4
    Quote Originally Posted by DC Pr0Mo View Post
    GPO-computer will apply the computer and user settings, as will GPO-user. Its because the computers and the users are in the same OU. If they conflict, then whatever has higher precedence will win.
    You could be right. It had slipped my mind that multiple GPOs applied to an object will appear in order of precedence, and that the order of the GPOs can be changed to suit. So if GPO-Computer appears higher up the list than GPO-User, it will be applied last and its settings will have precedence if there are any conflicts with other GPOs.

  12. #11
    Petabyte Poster craigie's Avatar
    Posts
    3,020
    Join Date
    05 May 2008
    Age
    37
    Liked
    64 times
    Rep Power
    49
    Quote Originally Posted by Sparky View Post
    Do you not need to add loopback for that?

    Been a while since I've done any GPO work...
    Yeah, I got it the wrong way round

  13. #12
    Megabyte Poster
    Posts
    254
    Join Date
    16 Feb 2009
    Location
    Grantham
    Age
    31
    Liked
    0 times
    Rep Power
    6
    Quote Originally Posted by xmojo View Post
    You could be right. It had slipped my mind that multiple GPOs applied to an object will appear in order of precedence, and that the order of the GPOs can be changed to suit. So if GPO-Computer appears higher up the list than GPO-User, it will be applied last and its settings will have precedence if there are any conflicts with other GPOs.
    I thought the question was if it was a single policy with a computer configuration and user configuration setting that conflicted rather than 2 different gpos?

    edit: Just re-read your post and it is 2 different gpos, my mistake, i blame posting from my iphone.

  14. #13
    Moderator Sparky's Avatar
    Posts
    9,940
    Join Date
    15 Dec 2005
    Location
    Scotland
    Liked
    61 times
    Rep Power
    98
    Quote Originally Posted by xmojo View Post
    You could be right. It had slipped my mind that multiple GPOs applied to an object will appear in order of precedence, and that the order of the GPOs can be changed to suit. So if GPO-Computer appears higher up the list than GPO-User, it will be applied last and its settings will have precedence if there are any conflicts with other GPOs.
    Err, the GPO that has computer settings configured is applied when the PC boots up and gets the Ctrl+Alt+Delete screen. Then if you log on with a user account that is in the OU *then* the user settings are applied.

    ......I think

  15. #14
    Forum Leader - The Lounge jk2447's Avatar
    Posts
    4,421
    Join Date
    03 Feb 2009
    Location
    UK
    Age
    35
    Liked
    85 times
    Rep Power
    67
    Quote Originally Posted by craigie View Post
    Yeah, I got it the wrong way round
    Oooo mate you better not the new job know . . . . .

  16. #15
    Petabyte Poster craigie's Avatar
    Posts
    3,020
    Join Date
    05 May 2008
    Age
    37
    Liked
    64 times
    Rep Power
    49
    Quote Originally Posted by jk2447 View Post
    Oooo mate you better not the new job know . . . . .
    Who let you out the cage?

    We all have our off days lol

Page 1 of 2 12 LastLast

Similar Threads

  1. Software Deployment via Group Policy Question
    By steveh2001 in forum Software
    Replies: 2
    Last Post: 21-Jan-2010, 11:17 AM
  2. Replies: 6
    Last Post: 03-Apr-2008, 10:12 AM
  3. Best practice for incorrect group policy settings
    By dales in forum Windows Server 2003 / 2008 / 2012 Exams
    Replies: 2
    Last Post: 04-Mar-2008, 09:47 PM
  4. Group Policy
    By AJ in forum Networks
    Replies: 6
    Last Post: 18-Oct-2007, 02:54 PM