Solved

Windows Server 2003 Group Policy Inheritance

Posted on 2004-10-19
4
520 Views
Last Modified: 2010-04-11
Am playing with GPO's and wanted to know what the precedence is for GPO's?

These are Domain GPO's that I am working with.

Please correct me if I am wrong:

The order in whic GP's are applied:

1. Local
2. Site
3. Domain
4. Parent OU
5. Child OU

Now, if i understand this correctly, the last policy applied takes precedence over the policies previously applied, unless inheritance is blocked. So, if the Domain Policy sets a SERVICE one way and the PARENT OU Policy sets the same SERVICE another way, the PARENT OU Policy takes precedence and is applied and the settings from the Domain Policy is disregarded. Yes?

Thank you


0
Comment
Question by:keatscon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352458

Precedence is as follows:

1. Child OU
2. Parent OU
3. Site - although Site is just another OU
4. Domain
5. Local

For more of an explanation..

Everything set on a Domain will overwrite the policy set on the computer, otherwise users would be able to override your domain policies.

Policies applied to Child OUs will overwrite settings defined on a Policy in the Parent OU where they conflict. There are two other settings that change the way this works though:

Link Enabled - Link Enabled makes a policies settings flow down through Child OUs. These settings can still be overwritten. Disabling this means the policy only appies to the current OU.

Enforced - Used to be No Override. This stops Policies appied to Child OUs from overriding the settings.

As an example, and to provide a less abstract view, here's a few really really simple policies...

Policy 1 - Password Length 8 Characters
Policy 2 - Password Length 10 Characters
Policy 3 - Maximum Password Age 30 Days
Policy 4 - Maximum Password Age 10 Days

Domain Root ------- Policy 1 Applied & Policy 3 Applied
 |
 |
 |----- Accounts Department ------- Policy 2 Applied
 |            |
 |            |
 |            |____ Accounts Directors ------- Policy 4 Applied
 |
 |----- Marketing Department

A bit of Active Directory...

Users in the Marketing Department get Policies 1 and 3, those are inheriteted from the Root.

Users in the Accounts Department get Policy 3 (from the Root), but Policy 2 overwrites the settings in Policy 1, so they get that one instead.

Users in Accounts Directors are really unlucky, they get Policy 2, from the Parent OU, and Policy 4 from the current OU.

Any item in a Policy set to Not Configured is of course ignored, only items set to Enabled and Disabled are included.

Does that make sense?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 50 total points
ID: 12352483

Oh and your precedence order is correct by your description, I just like writing things the other way around. So in mine 1 is the highest precedence ;)
0
 

Author Comment

by:keatscon
ID: 12352565
Excellent.

Thank you Chris.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352570
Pleasure :)
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question