Here’s a brief summary of everything you need to know about the way Group Policy applies, care of Florian, the always helpful Group Policy MVP.

Florian Frommherz is a systems engineer from Germany working in Switzerland. Specialized in Windows environments, Florian helps customers design their Directory Services and Group Policy implementations to unleash the central management capabilities. Read more of his advice on the Group Policy TechNet forum.

Opening our Group Policy Primer books, there’s a common abbreviation explaining the GP application rules:

Local-Site-Domain-OU(-subOU-subsubOU-subsubsubOU) – that’s L-S-D-OU.

As you can see, GP application goes from “generic” local policy settings that have low priority to pretty specific groups of machines with settings of higher priority. Application follows the “last writer wins” principle. If there are two GPOs that implement the same setting, the latter to be applied is the one that owns the setting. Let’s look at an example:


Imagine that domain-level GPO and sub-OU level GPO both have the WSUS GP setting: “Configure Automatic Updates” configured. While the domain-level GPO implements updating on Friday 7am, the sub-OU-level GPO implements updating daily, 3pm. Which setting is going to win on target clients in the Helpdesk-OU? Yeah, the sub-OU-level GPO configures last, so it wins.

Digging deeper in our GP Primer books, there’s another rule to point out:

When looking at the list of GPOs of the same level (domain, OU, …) in GPMC, policies are applied from the bottom up. That way if there are multiple policies implementing the same setting, the last to be applied is always the one that owns the setting.

In this example, there are three GPOs linked at the domain level. Given the above rule of application, what GPO is going to win the setting if all of them configure it with a different value? If your answer was “Default Domain Policy”, you’re right. Not because the Default Domain Policy is special (well, yeah, it sort of is). No, it’s because it’s linked at the top of the list: application is from bottom to top and last writer wins.

This behavior, by the way, is why custom Password Policies sometimes “don’t work”. The default Password Policy settings in the Default Domain Policy just have a “better” link order than a newly created GPO with custom settings. You’ll need to tweak GPO ordering in these cases.

Good luck, and remember: LSDOU, bottom to top on same-level settings, and last writer wins.