Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Easy Guide to Group Policy Object Precedence

Group Policy Object

If you want precise control over your Windows Server settings, Group Policy is the best choice. However, Group Policy can become complex due to the fact that each Group Policy object (GPO) can contain numerous settings for users and computers, and multiple GPOs with potentially conflicting settings can be linked to Active Directory sites, domains, or organizational units (OUs). This simple guide will explain how to establish Group Policy precedence, so that you can effectively implement and enforce your security policies.

When dealing with Group Policy, it is important to consider your location and whether you are dealing with a computer or user. This will help you understand how Group Policy Objects are applied and which settings you are modifying. LSD OU (local, site, domain, organizational unit) can help you understand the order in which GPOs are layered. It is important to note that while GPOs are commonly associated with domains, they can also be configured for local machines.

Local Group Policy

While all Windows devices have a Local Group Policy, the settings within Group Policy objects will always take precedence. As a result, the Local Group Policy should generally only be used to configure settings on devices not associated with an Active Directory domain. To access and modify your Local Group Policy settings on your computer, search for “Edit Group Policy” in the Start Menu.

Active Directory Group Policy

Group Policy objects must be connected to an Active Directory site, domain, or OU before they can take effect. These GPOs will be applied not only to the linked object but also to all its child objects. For example, if a GPO is linked to a site, it will also affect objects within that site’s domains and OUs. When it comes to viewing or modifying GPOs, you can use the Group Policy Management Console (GPMC) in the Tools menu of Server Manager. The settings of Group Policy objects are organized similar to those of Local Group Policies, but an additional category called Group Policy Preferences offers additional customization options for administrators to tailor users’ environments.

Using Group Policy with Sites

If a Group Policy Object (GPO) is linked to a site, its settings will be applied to all objects within that site. Multiple GPOs can be linked to a site, and if they have conflicting settings, it is important to determine which settings will take precedence. In such cases, the GPO with the lowest Link Order number will have priority. Link Order numbers indicate the precedence of Group Policy and determine the order in which GPOs are processed.

To view the Link Order numbers of GPOs for a site, follow these steps in the Group Policy Management Console (GPMC):

  • Step 1. Right-click on Sites and select Show Sites.
  • Step 2. In the Show Sites dialog, select the sites you want to display in GPMC and click OK.
  • Step 3. Expand the Sites section in GPMC to view all the configured sites in Active Directory. The default site is usually named Default-First-Site-Name, but it can be renamed.
  • Step 4. Click on the desired site.
  • Step 5. Under the Linked Group Policy Objects tab, you will see a list of linked GPOs for the site. If there are no linked GPOs, the list will be empty. If there are linked GPOs, their Link Order numbers will be displayed, indicating their precedence. Higher numbers indicate lower precedence. For example, a GPO with a Link Order number of 3 will take precedence over a GPO with a Link Order number of 4.
  • Step 6. To change a GPO’s Link Order number, select the GPO and use the up and down arrows on the left to move it to the desired position in the list.

Using Group Policy with Domains and OUs

GPOs can be connected to domains and OUs in the same manner as they can with sites. By default, the default domain policy is connected to each domain. GPOs associated with OUs have the highest priority, followed by those associated with domains, while GPOs associated with sites always have the lowest priority. To determine which GPOs are connected to a domain or OU, click on the domain or OU in GPMC and select the Linked Group Policy Objects tab. For a broader view, select the Group Policy Inheritance tab, which will display the GPOs linked to parent domains and OUs as well. GPOs linked to sites also apply to child objects of the site and are part of the processing order. However, GPOs linked to sites are not shown on the Group Policy Inheritance tab as they don’t have information about which users and computer objects are in a specific site at a given time.

Filtering GPOs

Default GPOs are created when a new domain is set up, but it is recommended to create a new GPO at the domain root for certain settings that should be applied to the entire domain. If you want to apply a GPO to most computers or users but still need to filter what it applies to, you can still link it to the root of the domain. Filtering can be done using the Security Filtering sections or WMI Filtering on the GPO’s Scope tab. By default, all GPOs have Authenticated Users set as the filtering scope, but you can specify objects such as Security, Distribution, or individual objects containing computers or users instead. WMI Filters can also be used to automatically filter objects to which the GPO will apply. It is common to have Account, Account Lockout, and Kerberos Policies at the root of the domain, but additional policies can also be added. Most GPOs will be applied at the OU level for more granular control and to align with the organization’s structure.

How Lepide Helps Secure Group Policy Objects and Active Directory

Lepide Auditor can help to monitor and protect your Active Directory Group Policy Objects. It uses machine learning algorithms to analyze user behavior in order to detect and respond to any unusual patterns that may pose a threat to your GPOs. It can also help you determine the number of privileged users within your environment and identify those with excessive permissions, helping administrators setup and configure GPOs in a more informed way. The platform simplifies the process of reversing unauthorized or unwanted changes made to Active Directory and Group Policy, allowing administrators to maintain the integrity of their systems.

If you’d like to see how Lepide Auditor can help you secure your Group Policy Objects, schedule a demo with one of our engineers.