Group policy precedence question

Discussion in 'Active Directory Exams' started by xmojo, Aug 19, 2010.

  1. xmojo

    xmojo Nibble Poster

    89
    1
    5
    Trying to wrap my head around Group Policy, and have this question:

    Let’s assume there is an OU that has both computer and user objects in it. The following GPOs are linked to this OU:

    • GPO-computer: this GPO has both computer config and user config settings enabled. The User Configuration setting that has been enabled is “Remove My Documents icon on the desktop”
    • GPO-user: this GPO has the User Configuration setting “Remove My Documents icon the desktop” disabled

    Let’s also assume in GPO-computer that the Computer Configuration setting “User Group Policy loopback processing mode” is not configured.

    So, GPO-computer should apply to the computer objects in the OU, and GPO-user should apply to the user objects in the OU.

    I assume then, that any user logging onto any of the computers targeted by GPO-computer will be affected by the user configured policy settings in GPO-computer, correct?

    Therefore, there is a conflict; the users will receive policy from both GPO-computer and GPO-user; one policy will remove My Documents icon from the desktop, the other prevents this from happening.

    Which user policy setting takes precedence?
     
  2. Adam Banner

    Adam Banner Poster Galore

     
  3. Sparky

    Sparky Exabyte Poster Moderator

    9,975
    242
    264
    Computer policy applied first (when the PC boots up). Then the user policy is applied when the user logs on (if the user object is in the same OU).
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  4. craigie

    craigie Terabyte Poster

    3,020
    171
    155
    I believe computer policies take priorty over user gpo.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  5. Sparky

    Sparky Exabyte Poster Moderator

    9,975
    242
    264
    Do you not need to add loopback for that?

    Been a while since I've done any GPO work...
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  6. simonp83

    simonp83 Kilobyte Poster

    254
    4
    32
    With the loopback policy disabled, i'd have thought the user configuration would take precedence over the computer configuration?
     
    Certifications: A+, MCP, MCDST, MCTS, MCITP
    WIP: 70-291
  7. Sparky

    Sparky Exabyte Poster Moderator

    9,975
    242
    264
    Yup, thats what I thought. Would need to test it out to be sure though.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  8. DC Pr0Mo

    DC Pr0Mo Kilobyte Poster

    265
    6
    41
    It's whatever policy has the higher precedence (you can change the precedence of a policy at the same ou), by default its the policy that was created first as it will be applied last, unless the newer policy has been enforced.
     
    Certifications: MCDST | BSc Network Computing
    WIP: 70-291 | 70-293 | 70-294 | 70-297
  9. DC Pr0Mo

    DC Pr0Mo Kilobyte Poster

    265
    6
    41
    The op states the both settings are at the user settings, its just the name of the polices (computer, user) that may be confusing the issue.
     
    Certifications: MCDST | BSc Network Computing
    WIP: 70-291 | 70-293 | 70-294 | 70-297
  10. DC Pr0Mo

    DC Pr0Mo Kilobyte Poster

    265
    6
    41
    GPO-computer will apply the computer and user settings, as will GPO-user. Its because the computers and the users are in the same OU. If they conflict, then whatever has higher precedence will win.
     
    Certifications: MCDST | BSc Network Computing
    WIP: 70-291 | 70-293 | 70-294 | 70-297
  11. xmojo

    xmojo Nibble Poster

    89
    1
    5
    You could be right. It had slipped my mind that multiple GPOs applied to an object will appear in order of precedence, and that the order of the GPOs can be changed to suit. So if GPO-Computer appears higher up the list than GPO-User, it will be applied last and its settings will have precedence if there are any conflicts with other GPOs.
     
  12. craigie

    craigie Terabyte Poster

    3,020
    171
    155
    Yeah, I got it the wrong way round :oops:
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  13. simonp83

    simonp83 Kilobyte Poster

    254
    4
    32
    I thought the question was if it was a single policy with a computer configuration and user configuration setting that conflicted rather than 2 different gpos?

    edit: Just re-read your post and it is 2 different gpos, my mistake, i blame posting from my iphone.
     
    Last edited: Aug 20, 2010
    Certifications: A+, MCP, MCDST, MCTS, MCITP
    WIP: 70-291
  14. Sparky

    Sparky Exabyte Poster Moderator

    9,975
    242
    264
    Err, the GPO that has computer settings configured is applied when the PC boots up and gets the Ctrl+Alt+Delete screen. Then if you log on with a user account that is in the OU *then* the user settings are applied.

    ......I think :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  15. jk2447

    jk2447 Petabyte Poster Forum Leader Premium Member

    4,592
    159
    224
    Oooo mate you better not the new job know . . . . . :lol:
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5
    WIP: Not really sure :S
  16. craigie

    craigie Terabyte Poster

    3,020
    171
    155
    Who let you out the cage?

    We all have our off days lol
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  17. jk2447

    jk2447 Petabyte Poster Forum Leader Premium Member

    4,592
    159
    224
    Ha ha yeah I got let out the assylum for a day! Just kidding me old mucka, I know you're a perfectionist so couldn't resist :D
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5
    WIP: Not really sure :S
  18. kevicho

    kevicho Gigabyte Poster

    1,218
    58
    116
    Both GPOs will be read and processed by both accounts (unless security permissions or filtering were in play)

    Generally when a domain computer boots it runs through applying all the computer policies at startup, it reads both user and computer settings but only generally applies computer settings (unless loopback mode is enabled)

    The user account will do the same when it logs in, reads both accounts, what it will check is its order of processing for that OU, and apply the last instance of that setting (eg if 2 GPO's have the same setting one is listed as having an order number of 1, then that will run first, then one has an order number of 5, than that one with lorder of 1 should contain the setting that is used as it has higher prcedence)

    OR You could use RSOP or the modelling tool in the GPMC to find out which would take precedence:)

    Generally it is much better design to keep user and computer objects apart (for instance you can save logon processing time by disabling uneeded computer and user properties, and future management will be so much easier), but AD is flexible enough to cater for this layout.
     
    Last edited: Dec 13, 2010
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal
  19. Darkfunnyguy

    Darkfunnyguy Byte Poster

    195
    3
    22
    Certifications: A+, N+, MCP, MCDST, MCSA 2003
    WIP: Server+, Vista,