Fixing Group Policy processing issues
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This section explains Group Policy processing rules and points to troubleshooting tips. Group Policy objects (GPOs) are applied according to a set of standard processing rules, as explained below. You can apply exceptions to these rules and sometimes these exceptions — if not applied carefully — can lead to unexpected behavior.
Standard processing rules
Exceptions to processing rules
Fixes for specific processing issues
Standard processing rules
This section provides details about the order in which Group Policy settings for users and computers are processed.
Group Policy settings are processed in the following order:
**Local Group Policy object—**Each computer has exactly one Group Policy object that is stored locally. The Local GPO processes for both computer and user Group Policy processing.
**Site—**Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
**Domain—**Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
**Organizational units—**GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, the earlier and later settings are merely aggregated.)
Exceptions to processing rules
The default order for processing settings is subject to the following exceptions:
A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled. For troubleshooting information, see GPO provides unexpected value.
A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.
An organizational unit or a domain may have Block Inheritance set. By default, Block Inheritance is not set. For troubleshooting information, see GPO provides unexpected value.
A computer that is a member of a workgroup processes only the local Group Policy object.
Loopback may be enabled. For troubleshooting information, see Loopback processing does not work.
GPOs can be subject to security filtering or WMI filtering to limit the scope of application. For troubleshooting information, see Fixing Group Policy scoping issues.
Fixes for specific processing issues
From the following list, choose the problem that best describes your situation, and then step through the suggested fix: