MCITP 70-640: Group Policy Processing Order
Welcome to IT Free Training video on Group
Policy processing order. In any large organization it is more than likely that you will have
multiple Group Polices affecting both computers and users in the domain. This video will help
you understand which Group Policy settings are applied when multiple Group Policies are
used within your organization. When multiple Group Polices are associated
with the same computer, the following order is followed. Firstly, local Group Policy that
is configured for that computer is applied. After this, any Group Polices that have been
applied at the site level are applied. The next Group Policy to be applied is at
the Domain level, while the final Group Policies to be applied will be Organizational Units.
If there are multiple levels of Organizational Units, the Group Policy is applied starting
from the top of the tree, moving downwards. Let us go through an example to understand
how this works. In this example, the local group policy has been configured to apply
custom desktop wallpaper and remove the recycle bin from the desktop. Since no other Group
Policy has been configured in the domain, these two Group Policy setting configured
in the local Group Policy will be applied. If a Group Policy is added at the site level
to configure a proxy server, this will then be added to the result. The two settings from
Local Group Policy will still apply though, as the setting added from the site level Group
Policy do not overlap with the settings applied from the Local Group Policy.
It is rare for Group Policy to be applied at the site level, though when it is applied
it will often be used for site-specific items like configuring proxy servers. If a Domain Group Policy is added that sets
the Wallpaper whilst also disabling the control panel, what will then eventuate is the following.
The wallpaper that was applied by the local Group Policy will then be overwritten by the
Group Policy settings that were applied at the domain level. Disabling the control panel
has also been added to the result. The proxy server configured at the site level is still
remains as does removing the recycle bin from the local Group Policy. In this network, some computers have been
configured to test out new software and thus require the control panel. In order to do
this, another Group Policy is created and applied to a testing OU. Since this Group
Policy enables the control panel, notice in the results the control panel has been enabled
again. You can start to see how powerful Group Policy
is. At each stage settings are either added or replaced to the resulting Group Policy
settings. This allows you to customize Group Policy to meet the needs of your organization.
I will change to my Windows 7 computer to look at how to configured Group Policy.
First of all I want to configure local Group Policy. In order to does this, run edit Group
Policy from the start menu. In this case, the setting that I want to configure is the
Desktop Wallpaper. This Group Policy setting can be found under Administrative Templates,
Desktop and Desktop. Under Desktop, select the settings Desktop
Wallpaper. Once I enable this Group Policy setting, I will configure it to use an image
store on a file Server. For the Wallpaper Style I will configure to stretch to ensure
the Wallpaper always fits the resolution the user is using.
Once configured, I will then exit out and configure the option to hide the recycle bin.
This setting can be found under Administrative Templates, Desktop. The setting that I am
after is Remove Recycle bin from desktop. To configure this Group Policy setting all
I will then need to do is enable it. Once enabled, I will now close Group Policy Management,
log off, then log back in again. Since I have only changed User Settings, the Group Policy
settings that I have changed will be applied when I log back in, there is no need to reboot.
Once logged back in, notice that the wallpaper has changed to configured from Local Group
Policy. Also notice that the Recycle Bin is no longer visible.
Even though you can configure settings using local Group Policy, in most cases it is not
recommended due to there being no centralized control, thus making them difficult to manage.
To configure Group Policy in the domain, I will now run Group Policy Management from
the start menu. In this case I will configure Group Policy at the site level. Before I can
assign Group Policy at the site level, I first need to create a Group Policy Object.
I can do this by right clicking Group Policy Objects and then selecting New. I will call
the Group Policy New York Proxy Server since this Group Policy will be used to configure
the proxy server at the New York site. Some of you may be thinking, could I have
created a Group Policy on the New York OU rather than at the site level? When you organize
your Active Directory objects like this, it is possible to configure a proxy server at
the OU level and achieve the same result. You can see that even though it is possible
to configure Group Policy at the site level, many administrators will use different methods
to get the same results rather than use site level Group Policy.
Once the group Policy is configured, the next step is to go down to sites, right click it,
then select the option – Show Sites. Once I select which sites I want to show, in this
case the site New York, the next step is to right click on New York, then select the option
Link an Existing GPO. Now I will be able to select the Group Policy Object that I created
earlier. Unlike when assigning Group Policy to Organizational Units, there is no way to
create and link the Group Policy in one step. Since sites are configured at the Forest Level,
this feature is most likely not available since when creating the Group Policy it could
be created in any domain in the forest. By not having the option, this forces the administrator
to create the Group Policy object in the correct domain, rather than Group Policy Management
guessing which domain the Group Policy Object was to be created in.
Once configured, I can right click the link to New York Proxy Server and edit the Group
Policy Object. Most settings any administrator will configure are found in Administrative
Templates, in this case the proxy settings are found under Windows Settings, Internet
Explorer Maintenance and then connection. To configure the proxy setting, all I need
to do is select the option on the right – Proxy Settings. Once I enable the setting, I can
then enter in the address of the proxy server. Now that the proxy setting is configured,
I will next configure the settings at the domain level.
I will first modify the Group Policy Domain Wide Group Policy. This is a Group Policy
that I created in an earlier video. To configure the desktop, I will once again go down to
Administrative Templates, Desktop and then down again to Desktop. The setting that I
am after is Desktop Wallpaper. If you have watched our previous videos on
Group Policy, you may remember that I have already configured this setting. Before I
start this demonstration I will cleared this particular Group Policy setting, otherwise
configuring the local Group Policy desktop setting will have no effect.
Once enabled, I will then configure this setting to use special desktop wallpaper that I created
with the writing on it indicating it came from a Domain Group Policy.
Like the local Group Policy setting, I will also configure it to stretch so that the Wallpaper
fills the screen if the user uses a different resolution. I will now exit out of here and
configure the Group Policy setting to disable the Control Panel. This can be found under
Administrative Templates and then Control Panel. The setting that I need to configure
is Prohibit Access to the Control Panel. This setting only needs to be enabled.
When enabling settings such as these, take the time to read description. Since the setting
disables the control panel it needs to be enabled. If this setting was configured to
disabled, this would enable the Control Panel. Once configured, I will exit out of Group
Policy Management, then log off and log back in again. Once the user logs back in again,
Group Policy will be reapplied for that user. Notice that the Wallpaper has changed to the
Wallpaper specified in the Domain Group Policy. This Group Policy setting has replaced the
Group Policy Setting that was configured in the local Group Policy.
Notice also the Recycle Bin is still hidden, as this setting was configured in the local
Group Policy setting. If I open the start menu, notice that the Control Panel has been
hidden so the user cannot access it. In some cases you may have a user that needs
different setting then the other users. In this example, this user is testing some software
and needs access to the control panel. To achieve this I will create a special OU for
this user. To do this, open Active Directory Users and
Computers from the start menu. Expanding downwards, you can see that the User Trainer is under
New York, Users, and then Marketing OU. For this user I will create an Organizational
Unit under Users by right clicking on Users, selecting new and then Organizational Unit.
I will now call the new Organization Unit Testing. Once created, the next step is to
move the Trainer user account into the Testing OU. Notice that when I move the user I get
a warning telling me that moving objects around the domain can affect the user, for example
which Group Policy settings are applied to them. Since this is what I want, I will press
OK, and then exit out of Active Directory Users and Computers.
To create the Group Policy Object for the testing Organization Unit, run Group Policy
Management. I will expand down to the Testing OU, right click and select the option Create
a GPO in This Domain, and link it here. For the name of the Group Policy, I will call
it New York Testing. Once the Group Policy is created, I can edit it.
To enable the control panel for this user, I will expand down through Administrative
Templates, Control Panel. From the right hand side I will select the option Prohibit Access
to the Control Panel. See how this setting is configured to Not
Configured. This means that it will not have an effect. In order to reverse the effect
of disabling the control panel configured in the Domain Group Policy, I need to select
the option Disabled. This will effectively enable the control panel. The wording may
seem a little strange at first. Once configured, I will then exit out Group
Policy Management and once again log out and log back in again. A point to note here – if
the computer account was moved in Active Directory the computer will need to be restarted in
order for Group Policy to be correctly applied. Since it is only the user account being moved,
I can log out and log back in and get the correct Group Policy settings.
Notice that the Wallpaper is still being applied at the domain level and the Recycle Bin has
been removed from the Desktop. If I go back to the Start Menu, notice the Control Panel
has reappeared in the Menu. In this video I have looked at the order Group
Policy is applied. This is Local, Site, Domain, and then OU’s. It is important to understand
this order when troubleshooting Group Policy in your domain.
Some of you may have already worked out that if you configure a Group Policy at the domain
level this will affect all computers and users in the domain. This includes Domain Controllers
and Administrators. Disabling the control panel for the Domain Administrator was probably
not the result originally intended when configuring the Group Policy at the Domain level. This
is just one example of why you should be careful when configuring Group Policy, as a wrong
setting can affect all the users and computers in your domain.
In the next video, I will look at how to target Group Policy a bit better to avoid problems
such as unintentionally removing the control panel from all your Domain Administrators.
As always, thanks for watching another one of our always free videos from IT Free Training.
See you next time.