Group Policy

Hi, need some clarity on group policy. So far, what I've gathered:

1. Things defined in DOMAIN SECURITY POLICY take precedence over any GPOs defined at the OU level.   You cannot block any settings defined in DOMAIN SECURITY POLICY

2. OU policy will take precedence over anything defined in DEFAULT DOMAIN POLICY

Now my question:
If you leave a setting undefined at the OU level. But have it defined in the DEFAULT DOMAIN POLICY, which will take precedence?

It seems to me that it is easier to just remove the DEFAULT DOMAIN POLICY ,and add policy to specific GPOs instead.  Less troubleshooting.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1. There are some things you cannot set in the GPO, they can only be set in the domain security policy eg password length, for the whole domain you would have a policy with the same password length

2. The order is Local Policy->Domain->Site->OU
for example if you have two setting which are the same, one in domain policy and one in OU, then the OU with take precendence.
This is true unless you use No Override (Block inheritance) at the domain level, then the domain policy with take effect.

Regarding your question, if you leave it undefined on OU, the the domain policy with take precedence.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
1) you can block the default domain policy as any other policy, execpt the security policies anil_u talked about.
2) anil_u is right here too, but if you switch on "loopback processing" any computer policy will aply it's user settings AFTER any other user policy :)
dissolvedAuthor Commented:
The order of policies is= Local Policy --->  Domain ---->  Site --->   OU            Right?

-What is "site"?  Can someone elaborate?  And I'm assuming  policies undefined at the domain level, But defined at the local level , will have the local level take precedence?

-What is loopback processing and is it widely used?

Thanks fellas
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

> -What is "site"?  
Open AD Sites and Services to see your sites.
A site is a location with computers which are connected to each other by a LAN or fast WAN.

Loopback processing: If you link a policy to a computer, the user section would be overruled by any user policy.
       to reprocess this user section of the computer linked policy, loopback processing is used.
dissolvedAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.