Applying security settings
This section covers different considerations when applying security settings.
When policy is applied
Once you have edited the security settings, the settings are refreshed on the computers linked to your Group Policy object:
To force a computer to refresh its security settings as well as all Group Policy settings, see the gpupdate command-line tool.
Precedence of policy when more than one policy is applied to a computer
For security settings which are defined by more than one policy, the following order of precedence, from highest to lowest, is observed:
For example, the domain policy will override the local security policy for a workstation which is defined on a domain wherever there is a conflict. Likewise, if the same workstation is a member of an organizational unit, the settings applied from the organizational unit policy will override both the domain and local settings. If the workstation is a member of more than one organizational unit, then the organizational unit that immediately contains the workstation has the highest order of precedence.
Use the Resultant Set of Policies tool to find out what policies are applied and in what order to a computer. For more information, see Resultant set of policy
Persistence in security settings
Security settings may still persist even if the setting is no longer defined in the policy that originally applied it.
Persistence in security settings occurs when:
Whenever Group Policy is applied, the computer stores the local security settings into a database. If a Group Policy object defines a security setting, then does not define that setting, the setting takes on the original local setting stored in the database. If a value does not exist in the database, then the setting does not have a setting to revert to, and it remains defined as is. This behavior is sometimes referred to as tattooing.
Registry and file settings will remain at the security setting that is applied through policy until that setting is set to another value.
Filtering security settings based on group membership
You can also decide what computers will or will not have a Group Policy object applied to them by denying them either the Apply Group Policy or Read permission on that Group Policy object. Both of these permissions are needed to apply Group Policy.