I have recently been completing some study for the Microsoft 70-417 exam (upgrading to MCSA Windows 2012) and whilst I have not had a lot to do with implementing Group Policy Objects (GPOs) in the recent past, I still find it is important to know how and when they get applied. The following is some of my notes from my study.
Assuming there is no type of filtering or enforcement applied, GPOs are applied/processed in the following order:
- Organisational Unit (OU)
Due to the rules of inheritance, the actual order of precedence is actually the reverse, and is as follows:
Therefore, when there is a conflicting setting (again assuming there is no enforcement in place) local settings will be overridden by any and all other GPO settings. The OU overrides the Domain, which in turn overrides the AD Site level settings. Therefore when GPOs are designed poorly, a GPO can be enabled or disabled at multiple levels and the result not necessarily be what is expected.
Blocking GPO Inheritance and GPO Enforcement
At the OU Level, you can choose to Block Inheritance which stops GPOs from the Site, Domain and parent OUs being applied to the selected child OU. However, this is overridden when a high level GPO has been configured to be Enforced.
For more information https://technet.microsoft.com/en-gb/library/cc757050(v=ws.10).aspx
GPOs can be selectively applied either based on Security Filtering (i.e. Active Directory Group Membership) or WMI Filters (such as writing a WMI query to find out the OS version) and further to that, within a GPO itself, individual GPO Preferences can be applied based upon Item-Level Targeting which provides a number of different conditions that have to be met (such as whether or not the PC has a Battery present – i.e. its a laptop).
Therefore (theoretically) you could construct a GPO that targeted computers within a specific OU that only applied to computers running Windows 8.1 and applied different GPO Preferences based on whether the computer had a particular clock speed or had a battery. Not that I would personally recommend going to that level of customisation for a GPO.