[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Windows Server 2003 Group Policy Inheritance

Posted on 2004-10-19
4
Medium Priority
?
524 Views
Last Modified: 2010-04-11
Am playing with GPO's and wanted to know what the precedence is for GPO's?

These are Domain GPO's that I am working with.

Please correct me if I am wrong:

The order in whic GP's are applied:

1. Local
2. Site
3. Domain
4. Parent OU
5. Child OU

Now, if i understand this correctly, the last policy applied takes precedence over the policies previously applied, unless inheritance is blocked. So, if the Domain Policy sets a SERVICE one way and the PARENT OU Policy sets the same SERVICE another way, the PARENT OU Policy takes precedence and is applied and the settings from the Domain Policy is disregarded. Yes?

Thank you


0
Comment
Question by:keatscon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352458

Precedence is as follows:

1. Child OU
2. Parent OU
3. Site - although Site is just another OU
4. Domain
5. Local

For more of an explanation..

Everything set on a Domain will overwrite the policy set on the computer, otherwise users would be able to override your domain policies.

Policies applied to Child OUs will overwrite settings defined on a Policy in the Parent OU where they conflict. There are two other settings that change the way this works though:

Link Enabled - Link Enabled makes a policies settings flow down through Child OUs. These settings can still be overwritten. Disabling this means the policy only appies to the current OU.

Enforced - Used to be No Override. This stops Policies appied to Child OUs from overriding the settings.

As an example, and to provide a less abstract view, here's a few really really simple policies...

Policy 1 - Password Length 8 Characters
Policy 2 - Password Length 10 Characters
Policy 3 - Maximum Password Age 30 Days
Policy 4 - Maximum Password Age 10 Days

Domain Root ------- Policy 1 Applied & Policy 3 Applied
 |
 |
 |----- Accounts Department ------- Policy 2 Applied
 |            |
 |            |
 |            |____ Accounts Directors ------- Policy 4 Applied
 |
 |----- Marketing Department

A bit of Active Directory...

Users in the Marketing Department get Policies 1 and 3, those are inheriteted from the Root.

Users in the Accounts Department get Policy 3 (from the Root), but Policy 2 overwrites the settings in Policy 1, so they get that one instead.

Users in Accounts Directors are really unlucky, they get Policy 2, from the Parent OU, and Policy 4 from the current OU.

Any item in a Policy set to Not Configured is of course ignored, only items set to Enabled and Disabled are included.

Does that make sense?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 200 total points
ID: 12352483

Oh and your precedence order is correct by your description, I just like writing things the other way around. So in mine 1 is the highest precedence ;)
0
 

Author Comment

by:keatscon
ID: 12352565
Excellent.

Thank you Chris.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352570
Pleasure :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
What we learned in Webroot's webinar on multi-vector protection.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question