Group Policy Precedence

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy precedence

You can apply Active Directory-based Group Policy by linking Group Policy objects to Active Directory objects (sites, domains, or organizational units). Group Policy settings under User Configuration apply to users, and Group Policy settings under Computer Configuration apply to computers. The locations of the user and computer accounts in Active Directory determine what Group Policy objects are used to supply policy. Note that although some settings are user interface settings--for example, the background bitmap or the ability to use the Run command on the Start menu--they can also be applied to computers.

Group Policy is cumulative. Child directory service containers inherit policy from parent containers, and Group Policy processing occurs in the following order: local, site, domain, and then successive organizational units, from highest organizational unit (farthest from the user or computer account) to lowest organizational unit (actually containing the user or computer account). This means that if you link a Group Policy object to a high-level parent container (domain or organizational unit), this Group Policy object applies to all containers beneath the parent container, that is, to the user and computer objects in each container. However, if you explicitly enable or disable some Group Policy settings in another Group Policy object that is linked to a child container, the child container's Group Policy object settings override the parent container's Group Policy object settings.

You can enforce Group Policy on child directory containers by setting the No Override option on a Group Policy object link. You can also prevent inheritance of Group Policy from parent directory containers by using the Block Policy inheritance option on a domain or organizational unit.

Important

  • No Override and Block Policy inheritance are advanced options, and they are not recommended for casual use, because they change the default behavior of policy inheritance, as described in the previous paragraph, and this can complicate troubleshooting.

Note

  • In the event of a conflict, Group Policy settings take precedence over user profile settings.

This section covers: