User Configuration and Computer Configuration
1. GPO includes settings for users and computer configurations
2. Users configuration is applied to users objects
3. Computer configuration is applied to computer objects
When does GPO getting applied?
1. Computer configuration applies during computer bootup
2. During boot up, user configuration is ignored
3. User configuration applies during user logon
Default refresh frequency of GPO
1. Workstations & Servers: 90~120 mins = every 90 mins + offset (up to 30 mins)
2. Domain Controller: 5~35 mins = every 5 mins + offset (up to 30 mins)
Using Group Police to configuration refresh frequency
1. For Servers: Computer Configuration\Administrative Templates:\System\Group Police\Set Group Policy refresh interval for computers
2. For Domain Controller: Computer Configuration\Administrative Templates:\System\Group Police\Set Group Policy refresh interval for domain controllers
3. For User: User Configuration\Administrative Templates:\System\Group Policy\Set Group Policy refresh interval of users
4. Range of interval is 0 to 44640 mins (31 days)
5. Range of offset is 0 to 1440 mins (24 hours)
Priority of GPO
1. GPO’s applied order: Local Policy, Site Policy, Domain Policy, OU Policy
2. At same level, Prioritized order is used to decide the applying order
3. The prioritized order is from lowest to highest
4. GPO applied to parent OU default will influence on the Child OU
5. GPO applied order in OU tree — 1st: Parent OU; 2nd: Child OU
6. We can disable the GPO inherit on child OU or object
Standard GPO inheritance Rule in OU
1. Any unconfigured settings are ignored
2. Only configured settings are inherited
Higher Level GPO |
Lower Level GPO |
Result |
with setting | without setting | inherits Higher level GPO |
with setting | with non-conflicting setting | inherits Both level GPO |
with setting | with conflicting setting | inherits Lower level GPO |
Enforced / No override GPO
1. It enable on the linked GPO
2. Enforced GPO can not be blocked to inherit
3. Enforced GPO can not be overwrote by Lower Lv. GPO
Blocking GPO
1. It enable on the OU
2. It is used to block the inheritance of non-enforced GPO