We are a small company that has a few GPOs at the domain level with some settings applied. We have some GPOs at the OU level with some settings applied. The Domain GPO has a higher link-level (15) and its settings are applied first. The GPO for the OU has a link level of 1, and it applied last.
We most of us believe that since the GPO at the OU level is applied last, if it has a setting that is the same as was set in the domain GPO -i.e., domain password expiration is 90 days and the OU GPO password expiration is 120 days, that the OU GPO setting of 120 days would apply. However, that is not what I am seeing.
Is this normal behavior that the first GPO that applies a setting is what takes effect? What is a GPO at the domain level has a setting and the GPO at the OU level is blank or not set?