Group Policy Processing

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-processing

Group Policy Objects (GPO) are processed in the following order:

1. The local GPO is applied.

2. GPOs linked to sites are applied.

3. GPOs linked to domains are applied.

4. GPOs linked to organizational units are applied. For nested organizational units (OUs), GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied.

How Group Policy works

Enforced GPOs

Block Inheritance

Group Policy Filtering

Loopback processing mode

Group Policy refresh

1. The primary mechanisms for refreshing Group Policy are at startup and logon. 

2. Group Policy is also refreshed at other intervals regularly.

3. By default, clients and servers check for changes to GPOs every 90 minutes using a randomized offset of up to 30 minutes.

4. Domain controllers check for computer policy changes every five minutes.

5. Components of a GPO are stored in both Active Directory and on the SYSVOL folder of domain controllers.

   1. Active Directory’s built-in replication system controls the replication of Active Directory

   2. Distributed File System Replication (DFSR) controls the replication of the SYSVOL folder. Within sites, replication occurs every 15 minutes.

Trigger Group Policy update

From cmd

gpupdate /force

From Powershell

Invoke-GPUpdate

Optimize GPO processing