Solved

Windows Server 2003 Group Policy Inheritance

Posted on 2004-10-19
4
516 Views
Last Modified: 2010-04-11
Am playing with GPO's and wanted to know what the precedence is for GPO's?

These are Domain GPO's that I am working with.

Please correct me if I am wrong:

The order in whic GP's are applied:

1. Local
2. Site
3. Domain
4. Parent OU
5. Child OU

Now, if i understand this correctly, the last policy applied takes precedence over the policies previously applied, unless inheritance is blocked. So, if the Domain Policy sets a SERVICE one way and the PARENT OU Policy sets the same SERVICE another way, the PARENT OU Policy takes precedence and is applied and the settings from the Domain Policy is disregarded. Yes?

Thank you


0
Comment
Question by:keatscon
  • 3
4 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12352458

Precedence is as follows:

1. Child OU
2. Parent OU
3. Site - although Site is just another OU
4. Domain
5. Local

For more of an explanation..

Everything set on a Domain will overwrite the policy set on the computer, otherwise users would be able to override your domain policies.

Policies applied to Child OUs will overwrite settings defined on a Policy in the Parent OU where they conflict. There are two other settings that change the way this works though:

Link Enabled - Link Enabled makes a policies settings flow down through Child OUs. These settings can still be overwritten. Disabling this means the policy only appies to the current OU.

Enforced - Used to be No Override. This stops Policies appied to Child OUs from overriding the settings.

As an example, and to provide a less abstract view, here's a few really really simple policies...

Policy 1 - Password Length 8 Characters
Policy 2 - Password Length 10 Characters
Policy 3 - Maximum Password Age 30 Days
Policy 4 - Maximum Password Age 10 Days

Domain Root ------- Policy 1 Applied & Policy 3 Applied
 |
 |
 |----- Accounts Department ------- Policy 2 Applied
 |            |
 |            |
 |            |____ Accounts Directors ------- Policy 4 Applied
 |
 |----- Marketing Department

A bit of Active Directory...

Users in the Marketing Department get Policies 1 and 3, those are inheriteted from the Root.

Users in the Accounts Department get Policy 3 (from the Root), but Policy 2 overwrites the settings in Policy 1, so they get that one instead.

Users in Accounts Directors are really unlucky, they get Policy 2, from the Parent OU, and Policy 4 from the current OU.

Any item in a Policy set to Not Configured is of course ignored, only items set to Enabled and Disabled are included.

Does that make sense?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 50 total points
ID: 12352483

Oh and your precedence order is correct by your description, I just like writing things the other way around. So in mine 1 is the highest precedence ;)
0
 

Author Comment

by:keatscon
ID: 12352565
Excellent.

Thank you Chris.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12352570
Pleasure :)
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question