Link to home
Start Free TrialLog in
Avatar of NetworkConsultant01
NetworkConsultant01

asked on

What happens if I assign multiple GPOs that have the same settings or conflicting settings?

What happens if I create a GPO and assign it to an OU with some settings then create and assign another to the same OU that either has the same settings or conflict with the other?

Will one be applied over the other, will it not apply it?
ASKER CERTIFIED SOLUTION
Avatar of dfxdeimos
dfxdeimos
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of NetworkConsultant01
NetworkConsultant01

ASKER

So if link 1 says disable windows firewall and link 4 says enable windows firewall, the firewall will be enabled correct?
Yes.

From Microsoft -

"If multiple GPOs are linked to the same container and have settings in common, there must be a mechanism for reconciling the settings. This behavior is controlled by the link order. The lower the link order number, the higher the precedence. Information about the links for a given container is shown on the Linked Group Policy Objects tab of a given container. This pane shows if the link is enforced, if the link is enabled, the status of the GPO, if a WMI filter is applied, when it was modified, and the domain container where it is stored. An administrator or users who have been delegated permissions to link GPOs to the container can change the link order by highlighting a GPO link and using the up and down arrows to move the link higher or lower in the link order list."
Err... I just said it backwards.

"The lower the link order number, the higher the precedence."

So, 4 then 3 then 2 then 1 are applied so 1 wins.
So the way I have this OU setup, would I be correct in saying that the first 2 GPOs will get applied then the FDCC ones will override them if they conflict? Example being if Secure Desktop Configuration says disable firewall and the FDCC one says enable it, when it finishes it will be enabled?

Can someone explain what enforced means?
GPO.jpg
No, they will get applied in the following order:

5, 4, 3, 2, 1.

4 overrides 5, 3 overrides 4, 2 overrides 3, 1 overrides 2 (Override only occurs when there is direct conflict.)
And you should take into account what manferg said about the No Override option.
OK I changed them around, what does the enforced setting do?
You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not enforced.

In tools prior to GPMC, "enforced" was known as "No override".