Any Group Policy Object (GPO) can be linked to multiple sites, domains, or OUs (multiple containers), and a given container can have multiple GPOs linked to it. When multiple GPOs link to the same container, the GPOs are, in effect, merged, although you can set the order of precedence to define how the GPOs are applied, creating a policy hierarchy. If policies conflict, the hierarchy resolves the conflict, with the policy higher in the hierarchy taking precedence.

GPOs linked to a site apply to all users and computers in the site. GPOs linked to a domain apply to all users and computers in the domain. They also apply by inheritance to all users and computers contained in child OUs of the domain. Inheritance does not, however, flow across to other domains even where trust relationships exist. As with a domain, GPOs linked to an OU apply to all users and computers in the OU and by inheritance to all child OUs of that OU.

Windows Server 2003 applies group policy in a specific order to support the group policy hierarchy. Policies are cumulative, and the last instance of a particular policy applied overwrites any previous instances of that policy. Windows Server 2003 applies GPOs in the following order:

1. Local group policy
2. GPOs linked to sites
3. GPOs linked to domains
4. GPOs linked to OUs, with parent OUs processed first followed by child OUs

If you consider the order in which Windows Server 2003 applies group policies, you’ll begin to understand the group policy hierarchy. The local group policy resides at the bottom of the hierarchy and has the least significance, since policies assigned after it through the upper levels of the hierarchy take precedence. At the next level is the site, then the domain, then the OU.