Anyone who opens the Group Policy Editor quickly realizes that there is alot of different settings that can be applied to a given computer or user. I addition to the all of the different GPOs that can be created, linked in, and the processing order among different GPOs, there is also a processing order within GPOs. The different portions of the Group Policy Object (Administrative Templates, Security Settings, Group Policy Preferences, etc) are all different Client Side Extensions or CSEs.
Q: Ok, so in what order do these different CSEs run?
A: The “Registry Settings” CSE (Administrative Templates) runs first, and then all of the others run alphanumerically based on their GUID.
What this means is that as you follow all of the standard Group Policy Processing rules, 100% of the Administrative Templates on ALL applicable GPOs run before any security settings, QoS, application deployment, or GPPs run. That’s cool, but why should you care? The settings you set at your OU level still override any defaults set at the root of the tree right? Well, mostly…
It is possible to set a single registry key at least 3 different ways:
- Administrative Templates – Runs first. Standard .adm/.admx templates.
- Security Registry Values – Runs second. Import a security template .inf into Windows Settings\Security Settings.
- Group Policy Preferences Registry – Runs last. Part of Group Policy Preferences.
What this means is that in certain cases (like the Default Security Policies) where a registry setting is set at the root of the tree (the “EC” policies use the Security CSE), you can only override it at your OU using the same CSE or one that processes later (GPP in this case), but that Administrative Templates might not work.