- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
When multiple Group Policy Objects (GPOs) are applied to the same user or computer, two mechanisms decide which settings win: link order and the broader LSDOU processing sequence. The GPO with link order number 1 sits at the top of the list, is processed last, and overrides any conflicting settings applied before it. This guide explains how link order fits into the broader LSDOU processing sequence, how to change Llnk order in the Group Policy Management Console (GPMC), how enforced GPOs change the rules, and how to verify which policies took effect.
What is GPO link order, and why does it matter?
GPO link order is the numeric value assigned to each GPO linked to an AD site, domain, or organizational unit (OU). The link order determines which GPO's settings take effect when two or more linked GPOs configure the same setting in conflicting ways.
Link order is distinct from the broader local, site, domain, and OU (LSDOU) processing sequence, and it resolves conflicts only among GPOs linked to the same site, domain, or OU, not across levels of the AD hierarchy. Within a single container, the rule is simple: The GPO with the lowest link order number has the highest precedence because it is processed last and overwrites the settings applied by GPOs with higher Link Order numbers. In other words, when you look at the Linked Group Policy Objects tab in the GPMC, the GPO at the top of the list is the last one applied. A higher number, such as 4 or 5, indicates a lower priority.
This matters because most production AD environments link multiple GPOs to the same OU with separate GPOs for drive mappings, security baselines, and software deployment. When those GPOs touch the same setting, link order is the deciding factor.
GPO processing order (LSDOU)
Windows applies GPOs in a fixed hierarchical order known as LSDOU, with each layer overriding the previous.
The processing sequence is:
- Local Group Policy: The local GPO exists on every Windows computer regardless of domain membership and can be edited using the Local Group Policy Editor. It is the first policy applied at startup or logon and forms the baseline that domain-based GPOs build on or override.
- Site: Next, any GPOs linked to the AD site associated with the computer's IP subnet are processed. Site-level GPOs are rare in modern environments because most organizations manage policy at the domain or OU level instead.
- Domain: GPOs linked to the domain are applied next and affect every user and computer in the domain unless filtered or blocked. The Default Domain Policy, which controls account lockout, password length, and Kerberos settings, is the most common example.
- OU: Finally, GPOs linked to the OU containing the user or computer object are processed, starting with the topmost parent OU and moving down through any nested OUs to the OU that holds the object.
The guiding principle across all four levels is that the "last applied GPO wins." A setting configured in an OU-level GPO will override the same setting configured at the domain level because the OU GPO is applied later in the sequence. Within any single level, for example, when three GPOs are linked to the same Sales OU, the link order takes over as the tiebreaker.
LSDOU determines the order of levels, while link order determines the order within a level. Together they decide the effective policy applied to any given user or computer.
How to change GPO link order and precedence in the GPMC
The GPMC is the native tool for adjusting link order. The process takes seconds, but the consequences ripple to every user and computer in the container, so it is worth doing deliberately.
Steps to change GPO link order in the GPMC:
- Open the GPMC.
- In the left pane, expand the forest and domain, then navigate to the OU, domain, or site whose link order you want to change.
- Click the container to load it, then select the Linked Group Policy Objects tab in the right pane.
- Click the GPO you want to move. The Move up, Move down, Move to top, and Move to bottom arrows on the left edge of the tab become active.
- Use the arrow buttons to reposition the GPO. Moving a GPO up decreases its link order number, increasing its precedence. Moving it down increases the number and lowers its precedence.
- Verify the new link order in the Link Order column. The new link order is saved to AD immediately, but it only affects client machines at the next Group Policy refresh or sooner if you run gpupdate /force on a target machine.
ADManager Plus simplifies link order management when you need to operate at scale. From a single console, you can manage GPO links across multiple OUs in bulk, modify GPO Link Order, create new GPOs, and edit existing GPOs, all without scripting and without switching between the GPMC and other tools. For administrators managing dozens of OUs, this turns a click-by-click GPMC task into a single configurable action.
Validate GPO processing order using gpresult
gpresult is the command-line tool for confirming which GPOs applied to a session and in what order. Run it from an elevated Command Prompt:
- gpresult /r: Displays a summary report in the console. The Applied GPOs section lists every GPO that took effect, ordered by precedence, along with the user and computer to which they applied.
- gpresult /h gpreport.html: Generates a detailed HTML report that includes setting-level winning GPO information, denied GPOs, and the filters that excluded them.
Run gpupdate /force first to refresh policy, then gpresult /r to confirm whether the new link order took effect. The Applied GPOs list is ordered by precedence—the GPO at the top of the list was applied last and has the highest precedence, while the GPO at the bottom was applied first.
Enforced GPOs and how they override GPO precedence
An enforced GPO is a GPO whose link has been explicitly marked to override everything else. When you right-click a GPO link in the GPMC and select Enforced, you change the processing rules for that GPO in two important ways: Its settings cannot be overridden by GPOs applied later in the LSDOU sequence, and Block Inheritance has no effect on it.
During Group Policy processing, Windows applies non-enforced GPOs first, then layers enforced GPOs on top. Because the enforced GPOs are applied last, their settings always win, even against an OU-level GPO that would normally take precedence over a domain-level one. The "last applied wins" rule still holds, and enforced GPOs guarantee they are always applied last.
ADManager Plus lets administrators enforce GPOs and manage enforcement status across the directory from a single interface and is especially useful when you need to audit enforced GPOs domain-wide or apply enforcement consistently across many OUs.
FAQ
- What is Link Order in Group Policy?
Link order is the numeric value assigned to each GPO linked to an AD site, domain, or OU. It determines the order in which Windows processes those GPOs and, by extension, which one wins when settings conflict. The GPO with link order 1 is processed last and has the highest precedence.
- In what order do GPOs get applied?
GPOs are applied in LSDOU order: Local Group Policy first, then site GPOs, then domain GPOs, then OU GPOs. Within a single container, link order determines the sequence—the GPO with the highest link order number is processed first and the lowest is processed last.
- What is the order of precedence for Group Policy processing?
Precedence follows the "last applied wins" rule. Because LSDOU processes Local Group Policy first and OUs last, OU GPOs override domain GPOs, which override site GPOs, which override the local GPO. Within a level, the GPO with link order 1 wins. Enforced GPOs override all of this.
- What is the hierarchy of GPOs?
The Group Policy hierarchy mirrors the AD hierarchy: Local computer > site > domain > parent OU > child OU. GPOs linked higher in this hierarchy are inherited by every object below them unless Block Inheritance is enabled or security filtering excludes the object.
- How do I change GPO link order?
Open the GPMC (gpmc.msc), navigate to the container holding the GPO, select the Linked Group Policy Objects tab, click the GPO, and use the arrow buttons on the left of the tab to move it up or down. The change takes effect at the next Group Policy refresh.