When multiple Group Policy Objects (GPOs) are applied with enforcement settings, Windows follows a specific processing order that combines both the natural GPO hierarchy and enforcement status. The basic processing order is always:
1. Local GPO
2. Site-level GPOs
3. Domain-level GPOs
4. OU-level GPOs (parent to child)
Enforced (formerly called "No Override") GPOs maintain their settings regardless of any conflicting settings in subsequent GPOs. However, their processing still follows the standard order - just with higher precedence for conflicts.
For the example scenario:
GPO Linked to Enforced
GP01 - contoso.com - No
GP02 - contoso.com - Yes
GP03 - Site 1 - Yes
GP04 - OU1 - No
GP05 - OU1 - Yes
Your understanding is mostly correct, but let me clarify the exact sequence:
1. GP03 (Site level, Enforced)
2. GP02 (Domain level, Enforced)
3. GP01 (Domain level, Not Enforced)
4. GP05 (OU level, Enforced)
5. GP04 (OU level, Not Enforced)
Consider these GPOs setting the same policy (e.g., "Password Policy"):
GP01: Minimum password length = 8
GP02: Minimum password length = 10
GP03: Minimum password length = 12
GP04: Minimum password length = 6
GP05: Minimum password length = 14
The effective result would be 12 characters because:
- GP03 sets it to 12 (site level, enforced)
- GP02 tries to set to 10 but gets blocked by enforcement
- GP05 would set to 14 but site enforcement takes precedence
You can check resultant policy with:
Get-GPResultantSetOfPolicy -ReportType Html -Path "C:\temp\gpresult.html"
Or for a specific user/computer:
gpresult /user targetuser /v > gpresult.txt
When debugging complex GPO hierarchies:
# List all applied GPOs in precedence order
Get-GPResultantSetOfPolicy -Computer localhost -User targetuser |
Select-Object -ExpandProperty GPO
Remember that enforced GPOs are indicated with a "NoOverride" flag in the output.
In Active Directory environments, Group Policy Objects (GPOs) process in the following default order:
1. Local policies
2. Site-linked GPOs
3. Domain-linked GPOs
4. OU-linked GPOs (from parent to child OUs)The "Enforced" flag (formerly "No Override") modifies this standard processing order. When enabled:
- The GPO cannot be blocked at a lower level
- It maintains its settings even if conflicting settings exist in subsequent GPOs
Using your example scenario:
GPO Linked to Enforced
GP01 - contoso.com - No
GP02 - contoso.com - Yes
GP03 - Site 1 - Yes
GP04 - OU1 - No
GP05 - OU1 - YesThe actual processing order would be:
GP03 (Site, Enforced) → GP02 (Domain, Enforced) → GP01 (Domain) → GP05 (OU, Enforced) → GP04 (OU)Important implementation details:
- Enforced GPOs process before non-enforced GPOs at their respective levels
- Within enforced GPOs, standard hierarchy (Site→Domain→OU) still applies
- Last writer wins for conflicting settings within the same precedence tier
To check effective precedence on a target machine:
Get-GPResultantSetOfPolicy -ReportType Html -Path "C:\temp\GPOReport.html"
# Or for immediate results:
gpresult /r /scope:computerWhen debugging unexpected policy applications:
# Check GPO application order
gpresult /h report.html /f
# View enforced GPOs specifically
Get-GPO -All | Where-Object {$_.GpoStatus -eq "AllSettingsEnforced"}Remember that WMI filtering and security filtering can further complicate the evaluation order.
- Document all enforced GPOs in your change management system
- Use descriptive names like "ENFORCED-BaselineSecurity"
- Limit enforcement to truly critical policies (10-15% of total GPOs max)