When there are multiple linked at the same OU the number next to the GPO is their precedence. The lowest number link will have the highest precedence.
“If you have more than one GPO linked to an OU then the processing order of these GPOs is determined by what is known as the link order. The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.” https://emeneye.wordpress.com/2016/02/16/group-policy-order-of-precedence-faq/ From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Monday, June 19, 2017 11:05 AM To: [email protected] Subject: Re: [NTSysADM] Q about GPO Security Filtering precendence I'm confused. From searching, I thought that the *last* listed GPO takes precedence. So wouldn't I want my non-rebooting (notify only) GPO *first*, applying to all "WSUS Members", and my rebooting schedule #1 GPO (applying to "WSUS Members" and the new AD group? If I had the order the other way (9AM first, then the non-rebooting), wouldn't the non-rebooting GPO override the settings from the GPO above it? On Mon, Jun 19, 2017 at 10:08 AM, Charles F Sullivan <[email protected]<mailto:[email protected]>> wrote: I believe you just need to put the 9 AM GPO at the top. Once you get down to the OU level, the settings from the GPO listed at the top will prevail. Once you add that third GPO, just make sure the non-security-enabled GPO is at the bottom. Any settings from the non-security-enabled one will apply to all the servers in the OU, but not any settings that conflict with the GPOs listed above it (which or course will only apply to the machines in the applicable groups). From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael Leone Sent: Monday, June 19, 2017 9:43 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Q about GPO Security Filtering precendence So I finally got the OK to have some of our servers have their patches automatically installed via GPO. Right now, all applicable servers are in 1 OU. All are members of a specific AD group ("WSUS Members"). There is a GPO on that OU that has these WSUS settings: Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update - Configure Automatic Updates. Value: 2 (Notify for download and notify for install And my WSUS server is set as the intranet MS update service location. So now I want 10 servers (as a pilot group) to reboot Sun at 9AM (I will have a WSUS group that has these 10, and the specific patches to install). So what I want to do is make a new GPO, filtered on a new AD group (with these 10 servers as members), and the new GPO will have these settings: Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Update - Always reboot at scheduled time; ENABLED - Automatic Updates detection frequency: ENABLED (2 hours) - Configure automatic updates. Value: 4(auto download and schedule the install - Install during automatic maintenance: DISABLED - Scheduled install day and time: Sunday, 9AM - Turn on recommended updates via Automatic Updates: ENABLED I've been trying some test VMs with a GPO with the above settings, and they seem to be what I want. Here's the question (finally!): On the Servers OU, make a new (second)GPO with the above settings, and set security filtering to the new AD group. So those 10 servers will be get the current GPO settings (just notify), AND get the new GPO settings (install and reboot on Sundays). So which GPO takes precedence? Or are the settings cumulative (I think so) Do I just need to make the new GPO, filtered to the new group? Or do I need to filter on membership in *both* groups ("WSUS Members" and "WSUS 9AM group")? (eventually there will be 3 groups - 9AM, 9:30AM and 10AM - so I can stagger the reboots)
