Solved

Windows Server 2003 Group Policy Inheritance

Posted on 2004-10-19
4
515 Views
Last Modified: 2010-04-11
Am playing with GPO's and wanted to know what the precedence is for GPO's?

These are Domain GPO's that I am working with.

Please correct me if I am wrong:

The order in whic GP's are applied:

1. Local
2. Site
3. Domain
4. Parent OU
5. Child OU

Now, if i understand this correctly, the last policy applied takes precedence over the policies previously applied, unless inheritance is blocked. So, if the Domain Policy sets a SERVICE one way and the PARENT OU Policy sets the same SERVICE another way, the PARENT OU Policy takes precedence and is applied and the settings from the Domain Policy is disregarded. Yes?

Thank you


0
Comment
Question by:keatscon
  • 3
4 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12352458

Precedence is as follows:

1. Child OU
2. Parent OU
3. Site - although Site is just another OU
4. Domain
5. Local

For more of an explanation..

Everything set on a Domain will overwrite the policy set on the computer, otherwise users would be able to override your domain policies.

Policies applied to Child OUs will overwrite settings defined on a Policy in the Parent OU where they conflict. There are two other settings that change the way this works though:

Link Enabled - Link Enabled makes a policies settings flow down through Child OUs. These settings can still be overwritten. Disabling this means the policy only appies to the current OU.

Enforced - Used to be No Override. This stops Policies appied to Child OUs from overriding the settings.

As an example, and to provide a less abstract view, here's a few really really simple policies...

Policy 1 - Password Length 8 Characters
Policy 2 - Password Length 10 Characters
Policy 3 - Maximum Password Age 30 Days
Policy 4 - Maximum Password Age 10 Days

Domain Root ------- Policy 1 Applied & Policy 3 Applied
 |
 |
 |----- Accounts Department ------- Policy 2 Applied
 |            |
 |            |
 |            |____ Accounts Directors ------- Policy 4 Applied
 |
 |----- Marketing Department

A bit of Active Directory...

Users in the Marketing Department get Policies 1 and 3, those are inheriteted from the Root.

Users in the Accounts Department get Policy 3 (from the Root), but Policy 2 overwrites the settings in Policy 1, so they get that one instead.

Users in Accounts Directors are really unlucky, they get Policy 2, from the Parent OU, and Policy 4 from the current OU.

Any item in a Policy set to Not Configured is of course ignored, only items set to Enabled and Disabled are included.

Does that make sense?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 50 total points
ID: 12352483

Oh and your precedence order is correct by your description, I just like writing things the other way around. So in mine 1 is the highest precedence ;)
0
 

Author Comment

by:keatscon
ID: 12352565
Excellent.

Thank you Chris.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12352570
Pleasure :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now