Sample Visio

Download GPO_Order_of_Execution

Active Directory / Citrix GPO order of execution.

OU GLO’s takes precedence over Domain GPO’s

Domain GPO’s take precedence over site GPO’s

Site GPO’s take precedence over Local Machine Policies

Citrix IMA Local Policies

Microsoft Local Policies

Local Machine Policies

IMA based policies take precedence over local server settings

Citrix and Microsoft local policies at the same precedence level

Rule A

User policies are more important than computer policies

Rule B

If a policy has blocked inheritance, it does not apply

a. OU may block inheritance

b. Only GPOs inside the OU will apply

c. Except for enforced GPOs above the OU

Rule C

Unless it is enforced. Then it does apply. (more than all others)

Rule D

Unless you deny read permissions to a user / computer for that GPO

Rule E

You should never give a deny permission

Rule F

Group policy lookback can make computer GPO’s over rule the GPOs

(Computer configuration \ policies \ admin templates \ system \ group policy \ user group policy loopback processing mode)

Rule G

Computer policies are updated every 90-120 minutes after the computer is turned on. User policies are updated every 90-120 minutes after the user logs in.