Windows Server - GPO precedence

GPOs have a precedence

GPOs are not applied simultaneously. Rather, they are applied in a logical order, and GPOs that are applied later in the process overwrite any conflicting policy settings that were applied earlier.

The GPO processing order is sometimes referred to by the LSDOU acronym (Local, Site, Domain, OU).

1. Local GPOs. Local GPOs are processed first. Computers that are running Windows operating systems already have a configured local Group Policy.
2. Site GPOs. Policies that are linked to sites are processed next.
3. Domain GPOs. Policies that are linked to the domain are processed next. There are often multiple polices at the domain level. These policies are processed in order of preference.
4. OU GPOs. Policies linked to OUs are processed next. These policies contain settings that are unique to the objects in that OU. For example, the Sales users might have special required settings. You can link a policy to the Sales OU to deliver those settings.
5. Child OU policies. Any policies that are linked to child OUs are processed last.

How Group Policy Handles Conflicts

AD DS objects receive the cumulative effect of all polices in their processing order. In the case of a conflict between settings, the last policy applied takes effect. For example, a domain‑level policy might restrict access to registry editing tools, but you could configure an OU‑level policy and link it to the IT OU to reverse that policy. Because the OU‑level policy is applied later in the process, access to registry tools would be available.

Other methods such as Enforcement and Inheritance Blocking can change the effect of policies on containers. For example, imagine that you link a GPO to the Sales OU. And the Sales OU had 4 child OUs. If you needed to ensure that one of the child OUs did not get the GPO settings, you could use inheritance blocking. On the other hand, if you need to ensure that GPO settings are applied to all targeted users and computers, you can enforce a GPO link. An enforced GPO overrides inheritance blocking. Managing inheritance blocking and enforcement is complex, especially in large environments. Therefore, you should first try to achieve your goal without inheritance blocking and enforcement.