Group Policy Processing

Group Policy is processed in the following order:

The local Group Policy object This is the only source of Group Policy for stand-alone computers or computers in workgroups. The local Group Policy object is always processed.

Active Directory linked Group Policy objects. Site first, domain next, and organizational unit last, including any nested organizational units, from parent to child. At each site, domain, or organizational unit, one, many, or no Group Policy objects can be linked. If more than one link is present, those links can be prioritized.

Note

The Block policy inheritance or No Override options can affect the presence or absence of Group Policy objects in the list of Group Policy objects to be processed, but cannot change their order. The blockade occurs at the domain or organizational unit level, thus removing all non-local Group Policy objects that would otherwise be processed earlier, except those set to No Override . The local Group Policy object cannot be blocked. The No Override setting for Group Policy is an attribute of a link, and therefore applies to a particular Group Policy object, and only at the particular site, domain, or organizational unit to which it is linked.

Computer policy is processed at startup and then user policy is processed when the user logs on. Although computer policy is applied before user policy, if user and computer policy settings specify different behavior, the computer policy will generally prevail. This is not enforced by the Group Policy infrastructure, but is rather a convention that is followed by the operating system and by applications that exploit Group Policy unless there are specific reasons that the convention is not appropriate for a given policy setting.

Note

There are policy processing issues that arise if you use Windows NT 4.0 and migrate to a Windows 2000 environment. For more information, see "Migration Issues Pertaining to Group Policy" later in this chapter.

Most Group Policy settings are implemented at the client computer by DLLs on the client. These DLLs are called client-side extensions. Remote Installation Services is an exception. RIS has no client-side extension because it is used to install an operating system remotely, and a DLL is useless without an operating system.

For each client-side extension, the Group Policy object processing order is obtained from a list of Group Policy objects, which is obtained from the GetGPOList Microsoft® Win32® function. Each client-side extension processes the resulting list of Group Policy objects.

In most cases policy settings specified in the Computer Configuration node have precedence over the same setting if one exists in the User Configuration node. There are a few exceptions and their behavior is set forth in the Explain text for those settings. An example is Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges, which requires the setting in both Computer and User Configuration to be enabled or it is not activated. See the Explain text for that policy setting for details.

Group Policy affects only users and computers contained in sites, domains, and organizational units. Specifically, Group Policy objects are not applied to Security Groups.