Summary: GPOs are applied in LSDOU order (Local → Site → Domain → OU), with later-applied settings overriding earlier ones; Enforcement and Block Inheritance modify this default behaviour.
Group Policy Objects are applied in this strict order. Later-applied GPOs override earlier ones (last write wins):
gpedit.msc)Within each level, multiple GPOs process in link order as listed in Group Policy Management Console (top to bottom).
Settings from parent containers flow down to child containers automatically. A user in Domain → OU-A → OU-B receives settings from all three levels.
Prevents a container from receiving GPOs from parent containers. Set on the container (OU or domain), not on the GPO.
GPMC → right-click OU → Block Inheritance
Marks a GPO link so it cannot be overridden by child containers or Block Inheritance.
GPMC → right-click GPO link → Enforced
| Computer Policy | User Policy | |
|---|---|---|
| Triggered by | Machine startup | User logon |
| Applies to | All users on the machine | Specific user |
| Take effect | Restart required | Logoff/logon |
| Examples | Firewall rules, services, drivers | Desktop settings, software restrictions |
Both apply asynchronously on Windows 10 and Server 2016+ for faster startup/logon.
gpupdate /force
Refresh user policy only:
gpupdate /target:user /force
Refresh computer policy only:
gpupdate /target:computer /force
Some settings (software installation, folder redirection) only take effect at startup or logon — gpupdate alone is insufficient for these.
Console summary of applied GPOs:
gpresult /r
Scope to user or computer:
gpresult /r /scope:user
gpresult /r /scope:computer
Generate detailed HTML report:
gpresult /h C:\gpreport.html
gpresult /h C:\gpreport.html /f
Check RSoP for a specific remote user (requires admin):
gpresult /s computername /u domain\username /r
Loopback processing applies User Configuration settings from GPOs linked to the computer's OU, not the user's OU. Used for kiosk machines, terminal servers, and shared workstations.
Enable via:
Computer Configuration → Policies → Administrative Templates → System → Group Policy → Configure user Group Policy loopback processing mode
WMI filters target a GPO to machines matching specific inventory conditions. Evaluated before the GPO is applied — if the filter returns false, the GPO is skipped for that machine.
Apply in GPMC: right-click GPO → Properties → WMI Filtering → select filter.
Examples:
# Target Windows 10 only
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0%"
# Target laptops (chassis type 9, 10, or 14)
SELECT * FROM Win32_SystemEnclosure WHERE ChassisTypes = 9 OR ChassisTypes = 10
# Target 64-bit systems
SELECT * FROM Win32_OperatingSystem WHERE OSArchitecture = "64-bit"
dsquery user -name usernamegpupdate /force and re-check gpresult /rWindows Logs → System for Group Policy events (Event IDs 1030, 1058, 1129 indicate processing failures)nltest /dsgetdc:domainnamerepadmin /replsummary