1. Local Group Policy Object: Each computer has exactly one GPO that is stored locally. This applies to both computer and user
Group Policy processing.
2. Site: Any GPOs that are linked to the site that the computer belongs to are processed next. Processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects tab for the site in GPMC. The GPO with the lowest link order
is processed last, and therefore has the highest precedence.
3. Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy
Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest
precedence.
4. Organizational Units: GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are
processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the
organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked
to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab
for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a
direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts.
Endpoint Privilege Management for Windows merges settings so settings with a higher precedence will be processed first. Once an
application matches a Workstyle, no further Workstyles will be processed for that application, so it is important to keep this in mind when
multiple GPOs are applied.
Exceptions to default order of processing
The default order for processing settings is subject to the following exceptions:
l
A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled.
l
A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings
nor computer settings are disabled on a GPO.
l
An organizational unit or a domain may have a Block Inheritance set. By default, Block Inheritance is not set.
For information about the above modifications to default behavior, see Managing inheritance of Group Policy at
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc757050(v=ws.10).
A computer that is a member of a Workgroup processes only the local GPO.
Endpoint Privilege Management settings storage and backup
Endpoint Privilege Management for Windows stores its settings within Active Directory’s SYSVOL folder, within the storage area for the
relevant GPOs, which are identified by their GUIDs. The settings are stored in an XML file and Active Directory is then used as the
distribution mechanism.
Endpoint Privilege Management for Windows settings can be backed up by one of the following methods:
1. A standard System State backup which organizations should be performing as part of their standard backup routines.
2. Manually backing up a GPO from the GPMC which backs up the GPO settings and Endpoint Privilege Management for Windows
XML files.
3. Manually exporting and saving to a location of your choice.
SALES: www.beyondtrust.com/contact
SUPPORT: www.beyondtrust.com/support
DOCUMENTATION: www.beyondtrust.com/docs
175
©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
TC: 8/27/2024
PRIVILEGE MANAGEMENT FOR WINDOWS
24.4 ADMINISTRATION GUIDE