The group policy management console (GPMC) integrates group policy functionality from a variety of Active Directory administrative tools into a single, unified console dedicated to group policy management tasks. One of the many useful features of GPMC is the ability to carry out group policy modelling, for example when diagnosing issues with GPO application.
Policies are applied in the following order:
- Organizational unit (OU)
- Child OU
- [Child OU etc.]
When a container (site, domain or OU) has links to multiple GPOs, these can be assigned a link order to designate an order of precedence. Sounds straightforward enough, except that to me, the term “link order” suggests the order in which links to GPOs are applied – i.e. 1, then 2, then 3, etc. In that way, if GPO a (with link order 1) is overridden by a setting in GPO b (with link order 2), then GPO b (second to be applied) would be the winning GPO. Except that it doesn’t work that way!
Microsoft’s Group Policy Management Console Technical Reference provides a full description of how GPMC can be used, and provided me with a gem of information that seems to me totally illogical, but solved a problem I’ve been struggling with this afternoon:
“When a container has multiple GPO links, administrators can use GPMC to manipulate the link order for every container. GPMC assigns each link a link order number; the GPO link with link order of 1 has highest precedence on that container.”
The GPO with link order 1 has the highest priority – i.e it is applied last! I switched the policy link order and now the resultant set of policies is exactly the way I need it to be.