Solved

Windows Server 2003 Group Policy Inheritance

Posted on 2004-10-19
4
518 Views
Last Modified: 2010-04-11
Am playing with GPO's and wanted to know what the precedence is for GPO's?

These are Domain GPO's that I am working with.

Please correct me if I am wrong:

The order in whic GP's are applied:

1. Local
2. Site
3. Domain
4. Parent OU
5. Child OU

Now, if i understand this correctly, the last policy applied takes precedence over the policies previously applied, unless inheritance is blocked. So, if the Domain Policy sets a SERVICE one way and the PARENT OU Policy sets the same SERVICE another way, the PARENT OU Policy takes precedence and is applied and the settings from the Domain Policy is disregarded. Yes?

Thank you


0
Comment
Question by:keatscon
  • 3
4 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352458

Precedence is as follows:

1. Child OU
2. Parent OU
3. Site - although Site is just another OU
4. Domain
5. Local

For more of an explanation..

Everything set on a Domain will overwrite the policy set on the computer, otherwise users would be able to override your domain policies.

Policies applied to Child OUs will overwrite settings defined on a Policy in the Parent OU where they conflict. There are two other settings that change the way this works though:

Link Enabled - Link Enabled makes a policies settings flow down through Child OUs. These settings can still be overwritten. Disabling this means the policy only appies to the current OU.

Enforced - Used to be No Override. This stops Policies appied to Child OUs from overriding the settings.

As an example, and to provide a less abstract view, here's a few really really simple policies...

Policy 1 - Password Length 8 Characters
Policy 2 - Password Length 10 Characters
Policy 3 - Maximum Password Age 30 Days
Policy 4 - Maximum Password Age 10 Days

Domain Root ------- Policy 1 Applied & Policy 3 Applied
 |
 |
 |----- Accounts Department ------- Policy 2 Applied
 |            |
 |            |
 |            |____ Accounts Directors ------- Policy 4 Applied
 |
 |----- Marketing Department

A bit of Active Directory...

Users in the Marketing Department get Policies 1 and 3, those are inheriteted from the Root.

Users in the Accounts Department get Policy 3 (from the Root), but Policy 2 overwrites the settings in Policy 1, so they get that one instead.

Users in Accounts Directors are really unlucky, they get Policy 2, from the Parent OU, and Policy 4 from the current OU.

Any item in a Policy set to Not Configured is of course ignored, only items set to Enabled and Disabled are included.

Does that make sense?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 50 total points
ID: 12352483

Oh and your precedence order is correct by your description, I just like writing things the other way around. So in mine 1 is the highest precedence ;)
0
 

Author Comment

by:keatscon
ID: 12352565
Excellent.

Thank you Chris.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12352570
Pleasure :)
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
OnPage: Incident management and secure messaging on your smartphone
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question