Group Policy processing and precedence
The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier.
Order of processing settings
This section provides details about the order in which Group Policy settings for users and computers are processed. For information about where the processing of policy settings fits into the framework of computer startup and user logon, see steps 3 and 8 in Startup and logon, in this topic.
Group Policy settings are processed in the following order:
- Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
- Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
- Domain—Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
- Organizational units—GPOs that are linked to the organisational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organisational unit, and so on. Finally, the GPOs that are linked to the organisational unit that contains the user or computer are processed.
- At the level of each organisational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organisational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
Using Gpresult
Displays the Resultant Set of Policy (RSoP) information for a remote user and computer. For examples of how this command can be used, see Examples.
gpresult [/s <COMPUTER> [/u <USERNAME> [/p [<PASSWORD>]]]] [/user [<TARGETDOMAIN>\]<TARGETUSER>] [/scope {user | computer}] {/r | /v | /z | [/x | /h] <FILENAME> [/f] | /?}Parameters
/s <COMPUTER> Specifies the name or IP address of a remote computer. Do not use backslashes. The default is the local computer.
/u <USERNAME> Uses the credentials of the specified user to run the command. The default user is the user who is logged on to the computer that issues the command.
/p [<PASSWORD>] Specifies the password of the user account that is provided in the /u parameter. If /p is omitted, gpresult prompts for the password. /p cannot be used with /x or /h.
/user [<TARGETDOMAIN>\]<TARGETUSER> Specifies the remote user whose RSoP data is to be displayed.
/scope {user | computer} Displays RSoP data for either the user or the computer. If /scope is omitted, gpresult displays RSoP data for both the user and the computer.
[/x | /h] <FILENAME> Saves the report in either XML (/x) or HTML (/h) format at the location and with the file name that is specified by the FILENAME parameter. Cannot be used with /u, /p, /r, /v, or /z.
/f Forces gpresult to overwrite the file name that is specified in the /x or /h option.
/r Displays RSoP summary data.
/v Displays verbose policy information. This includes detailed settings that were applied with a precedence of 1.
/z Displays all available information about Group Policy. This includes detailed settings that were applied with a precedence of 1 and higher.
/? Displays Help at the command prompt.
Examples
The following example displays RSoP data for the computer srvmain and the logged-on user. Data is included about both the user and the computer. The command is run with the credentials of the user maindom\hiropln, and p@ssW23 is entered as the password for that user.
gpresult /s servername/u domainname\username /p password/r
These two links comr from http://microsoft.com
No comments:
Post a Comment