[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 283
  • Last Modified:

Group Policy

Hi, need some clarity on group policy. So far, what I've gathered:

1. Things defined in DOMAIN SECURITY POLICY take precedence over any GPOs defined at the OU level.   You cannot block any settings defined in DOMAIN SECURITY POLICY

2. OU policy will take precedence over anything defined in DEFAULT DOMAIN POLICY

Now my question:
If you leave a setting undefined at the OU level. But have it defined in the DEFAULT DOMAIN POLICY, which will take precedence?

It seems to me that it is easier to just remove the DEFAULT DOMAIN POLICY ,and add policy to specific GPOs instead.  Less troubleshooting.

3 Solutions
1. There are some things you cannot set in the GPO, they can only be set in the domain security policy eg password length, for the whole domain you would have a policy with the same password length

2. The order is Local Policy->Domain->Site->OU
for example if you have two setting which are the same, one in domain policy and one in OU, then the OU with take precendence.
This is true unless you use No Override (Block inheritance) at the domain level, then the domain policy with take effect.

Regarding your question, if you leave it undefined on OU, the the domain policy with take precedence.
1) you can block the default domain policy as any other policy, execpt the security policies anil_u talked about.
2) anil_u is right here too, but if you switch on "loopback processing" any computer policy will aply it's user settings AFTER any other user policy :)
dissolvedAuthor Commented:
The order of policies is= Local Policy --->  Domain ---->  Site --->   OU            Right?

-What is "site"?  Can someone elaborate?  And I'm assuming  policies undefined at the domain level, But defined at the local level , will have the local level take precedence?

-What is loopback processing and is it widely used?

Thanks fellas
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

> -What is "site"?  
Open AD Sites and Services to see your sites.
A site is a location with computers which are connected to each other by a LAN or fast WAN.

Loopback processing: If you link a policy to a computer, the user section would be overruled by any user policy.
       to reprocess this user section of the computer linked policy, loopback processing is used.
dissolvedAuthor Commented:

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now