Group Policy inheritance

Group Policy inheritance is a set of rules that control how GPOs are applied to computers. To apply Net iD settings of a Group Policy object (GPO) to computers, you can link that to the domain, a site, or an organizational unit in the Active Directory. You can add one or more GPO links to each domain, site, and organizational unit in the Group Policy Management Console. The settings deployed by GPOs linked to higher containers (parent containers) in Active Directory are inherited by default to child containers and combine with any settings deployed in GPOs linked to child containers. If multiple GPOs attempt to set a setting to conflicting values, the GPO with the highest precedence decides the setting. GPO processing is based on a last writer wins model, and GPOs that are processed later have precedence over GPOs that are processed earlier. Group Policy objects are processed according to the following order:

  1. GPOs linked to sites.

  2. GPOs linked to domains.

  3. GPOs linked to organizational units.

You can further control precedence and how GPO links are applied by:

  • Changing the GPO link order (on a site, domain or organizational unit).

  • Blocking GPO inheritance.

  • Enforcing a GPO link.

  • GPO filtering using security groups.

  • WMI filtering.