Group Policy Objects, or GPOs, are assigned by linking them to containers (sites, domains, or Organizational Units (OUs)) in Active Directory (AD). Then, they are applied to computers and users in those containers.
A Group Policy Object can contain both computer and user sets of policies and preferences; the computer section of a GPO is applied during boot-up and periodically thereafter, while the user section is applied at user login.
Typically, when determining which policy settings to apply, the local policy of the machine is evaluated, followed by site policies, then domain policies, and finally the policies on all the OUs that contain the object being processed starting at the root of the domain. User GPO processing can be modified by using loopback processing mode, as shown in the table below. The appropriate processing order for a user is determined by the setting in the resultant set of policy applied to the machine. Turning on loopback processing allows the administrator to customize the user experience based on the computer they are logging on to.
|Section of the Policy||Normal Mode||Loopback Merge Mode||Loopback Replace Mode|
|LOCAL MACHINE (EVALUATED DURING BOOT)||Local Machine Policy: Site GPOs [S], Domain GPOs [C], OU GPOs [P1, P2, M1]||Local Machine Policy: Site GPOs [S], Domain GPOs [C], OU GPOs [P1, P2, M1]||Local Machine Policy: Site GPOs [S], Domain GPOs [C], OU GPOs [P1, P2, M1]|
|USER (EVALUATED DURING LOGON)||Local Machine Policy: Site GPOs [S], Domain GPOs [W], OU GPOs ||Local Machine Policy: from user location (Site GPOs [S], Domain GPOs [W], OU GPOs [ ]), from computer location (Site GPOs [S], Domain GPOs [C], OU GPOs [P1, P2, M1])||Local Machine Policy: from computer location (Site GPOs [S], Domain GPOs [C], OU GPOs [P1, P2, M1])|
When the policies are evaluated, several properties determine if the setting they contain are processed:
- Is the group policy link active or inactive?
- Is the object for which we are determining policy in the scope (ACL) of the GPO?
- Are either the computer or user sections of the policy disabled?
- Is VMI filtering enabled on the GPO? If so, does the object for which we are determining the policy match the filter?
Any container can be set to “Block Inheritance” for GPOs, meaning that any GPO that would be processed before reaching this container will be ignored in most cases. Any container can be set to “Enforced,” a link setting that means that the settings in this policy cannot be overridden by a policy that is processed later. This modifier also means that the settings in this policy apply even if another container is set to “Block Inheritance.”
When multiple Group Policy Objects are linked to a single AD container, they are processed in order of link, starting from the highest link order number to lowest; setting in the lowest link order GPO take effect.
Thus, the setting in all the applicable policies are evaluated in order. Each time a new value for a setting is encountered, the new value replaces the old, unless the old value was enforced. This continues until the group policy client determines the Resultant Set of Policy (RSOP) and applies it.
The group policy management console provides tools to model the RSOP, or you can run gpresult.exe on an end computer to see the interaction of multiple GPOs.