Hello All. We licensed advanced and are still struggling with the active directory group policies mapping to the meraki group policy. Basically we left the network default contact filter policy to allow access to all sites and then use group policies to apply content rules starting at the top the less restrictive to the most restricted at the bottom of the group policy list. I am correct in assuming that the mx will process from the top down the group policies until it gets a hit on a user and then stops right there? Or does it continue to see if that user is in subsequent groups? I assume the former. So basically we have people at the top of the list as unrestricted and then under that have the same categories defined at the very bottom of the list (most restrictive) with url white lists. However users are still able to go anywhere they want. The event logs do show the users being mapped into specific groups but the policies are not working. 

Am I understanding this order of operations correctly? 

Thanks very much