Applying security settings

This section covers different considerations when applying security settings.

When policy is applied

Once you have edited the security settings, the settings are refreshed on the computers linked to your Group Policy object:

When a computer is restarted the settings on that computer will be refreshed.

The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes. 

To force a computer to refresh its security settings as well as all Group Policy settings, see the gpupdate command-line tool.

Precedence of policy when more than one policy is applied to a computer

For security settings which are defined by more than one policy, the following order of precedence, from highest to lowest, is observed:

Organizational unit policy

Domain policy

Site policy

Local computer policy

For example, the domain policy will override the local security policy for a workstation which is defined on a domain wherever there is a conflict. Likewise, if the same workstation is a member of an organizational unit, the settings applied from the organizational unit policy will override both the domain and local settings. If the workstation is a member of more than one organizational unit, then the organizational unit that immediately contains the workstation has the highest order of precedence.

Use the Resultant Set of Policies tool to find out what policies are applied and in what order to a computer. For more information, see Resultant set of policy

Persistence in security settings

Security settings may still persist even if the setting is no longer defined in the policy that originally applied it.

Persistence in security settings occurs when:

The setting has not been previously defined on the local computer at the time policy was applied.

The setting is for a registry object in the subtree of the Registry node.

The setting is for a file system object.

Whenever Group Policy is applied, the computer stores the local security settings into a database. If a Group Policy object defines a security setting, then does not define that setting, the setting takes on the original local setting stored in the database. If a value does not exist in the database, then the setting does not have a setting to revert to, and it remains defined as is. This behavior is sometimes referred to as tattooing.

Registry and file settings will remain at the security setting that is applied through policy until that setting is set to another value.

Filtering security settings based on group membership

You can also decide what computers will or will not have a Group Policy object applied to them by denying them either the Apply Group Policy or Read permission on that Group Policy object. Both of these permissions are needed to apply Group Policy.

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies