<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Playing with Processing: Group Policy Guide for Link Manipulation

Published on
10,334 Points
3,634 Views
2 Endorsements
Last Modified:
Approved
Order of Processing

LSDOU: Local, Site, Organizational Unit (OU). That is the order in which Group Policy applies. All local GPOs are applied first; this is followed by any applicable ones linked to a site. Next, GPOs linked at the domain are applied. Finally, GPOs linked to each OU are processed. These GPOs are applied in a top down approach. Higher OUs or levels such as a site or domain are applied first. Let’s look at a sample environment.

Our Sample Environment
We have a computer named BR-01 that is in the Brunswick OU. Our domain only has a single site with no GPOs linked to it.  This computer would apply its local policy, Default Domain Policy, Domain Computers GPO, and finally the Brunswick GPO.

To simplify processing, we are going to enable “Turn off Local Group Policy Objects processing” in our Default Domain Policy.

Enabling "Turn off Local GPO Processing"
Now, BR-01 will apply the Default Domain Policy, Domain Computers GPO, and finally the Brunswick GPO. We have a second computer named GA-01 in the Glynn Academy OU. Because it inherits settings from the Default Domain Policy, it will not apply Local GPOs as well. It will apply the Default Domain Policy, Domain Computers GPO, Brunswick GPO, and the Glynn Academy GPO.

A junior administrator edits our Brunswick GPO and sets “Turn off Local Group Policy Objects processing” to disabled.

Disabling "Turn Off Local GPO Processing" in the Brunswick GPO
The computer in the Glynn Academy OU (GA-01) will now process the Default Domain Policy first. This policy will say “Hey – Turn off Local GPO processing!”.  The computer will then process the Domain Computers GPO (which doesn’t have this setting configured). Next, it will process the Brunswick GPO. This policy will say “Hey – Turn on Local GPO processing!”. Because this GPO is closer to GA-01 than the Default Domain Policy, this policy will win (and “Turn off Local GPO processing will be set to disabled.)

Our RSOP for computer GA-01
If we configured the Glynn Academy GPO to contradict the Brunswick GPO, the Glynn Academy GPO would win because it is the closet OU to the computer.

This is all dandy except we still have a problem. We want “Turn off Local GPO processing” enabled for the entire domain (no matter what), and our junior administrator specifically ignored that. After talking to him, he agrees not to configure the “Turn off Local GPO processing” setting.

Blocked Inheritance

One day, you are looking around in the Group Policy Management Console and see this:

Block Inheritance
Someone has set Block Inheritance on the Brunswick OU! Because Block Inheritance is set, any normal GPO above the Brunswick OU will be ignored. Our default domain policy, which configures the “Turn off Local GPO processing” setting, will no longer be processed by computers at the Brunswick OU or below.

Our RSOP of GA-01 with Block Inheritance
If we read the details of that setting, we see that if we “do not configure this policy setting, local GPOs continue to be applied.” By enabling Block Inheritance, our junior administrator was able to indirectly set “Turn off Local GPO processing” to disabled by setting it back to Not Configured.

We have a very clever Junior Administrator!
Enforced

Lucky for us, Microsoft planned for junior administrators that HR won’t fire. They gave us the ability to enforce a GPO!

Enforced GPO
When enforcement is set on the Default Domain Policy, computers in the Domain Computers OU (and below) will apply the GPO even if Block Inheritance is enabled! If our junior administrator configures the Brunswick GPO and enforces it, the Default Domain Policy will still apply. When two policies are enforced, the highest policy will always win! This allows top level administrators to configure global settings without having to worry about those settings being overwritten.

Best Practice

Being heading off to enforce GPOs and block OU inheritance, stick with me for a few more minutes. As a general practice, do not enforce GPOs or block OU inheritance if you can help it. When you do either of these actions, you are adding complexity to your environment. And as every IT administrator knows, complexity = interrupted vacation time!

When you do need a specific setting enforced, create a separate GPO for this setting and name it something like Enforced: Turn Off Local GPO Processing. This will allow for you to clearly see that the GPO is enforced and you will know exactly what is enforced.

If all of this enabling and disabling “Turn Off Local GPO processing” was more confusing than Inception, check out 10 Ways to Troubleshoot Group Policy.

This article was first published on my blog, Windows 8 Library. You can check out the  original article here.
2
Comment
1 Comment
LVL 90

Expert Comment

by:David Johnson, CD, MVP
0

Featured Post

Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month