Group Policy Basics
Understanding how Group Policy Objects (GPOs) work in Active Directory environments.
How It Works
Group Policy is a feature of Windows that allows administrators to centrally manage settings for users and computers in an Active Directory environment. GPOs are processed in a specific order known as LSDOU: Local, Site, Domain, and Organisational Unit. Policies applied later in this order take precedence, meaning an OU-level policy will override a domain-level one for the same setting.
Processing Order (LSDOU)
- Local — policies set directly on the machine itself
- Site — policies linked to the Active Directory site
- Domain — policies linked at the domain level
- Organisational Unit — policies linked to the OU containing the object (most specific, highest precedence)
Tip
When two GPOs configure the same setting, the one processed last wins. Use "Enforced" on a higher-level GPO if you need it to override OU-level policies.
Managing GPOs
Use the Group Policy Management Console (GPMC) to create, edit, and link GPOs. You can model the expected results using the Group Policy Modelling wizard before making changes.
Warning
Always test policies in a staging OU before applying to production. A misconfigured GPO can lock users out of their desktops or break application access across the entire domain.
Useful Commands
Invoke-GPUpdate -Computer "WORKSTATION01" -Force -RandomDelayInMinutes 0Get-GPResultantSetOfPolicy -Computer "WORKSTATION01" -ReportType Html -Path "C:\GPOReport.html"Tip
Run gpresult /h on the target machine itself for a quick HTML report of which policies are actually applying — this is often faster than running the Modelling wizard remotely.