Recently it was decided to allow a small group of administrators, not in the original building of our 2003 AD domain to begin to implement Group Policy. Currently, the entire domain is a Windows functional level 2003\Forrest functional 2003. It is made up of 1 domain and 6 OU's. Something like below. When looking at AD Users and computers, the domain D1.net has the 6 OU's below. Each of the OU's represent geographical locations, so OU1 - OU4 are "field" locations, the DCOU is located in a Central Office as is the TESTOU as seen somewhat poorly below.
ou1 ou2 DCOU ou3 ou4 TESTOU
to make it more confusing, each OU in the field has all their users, computers, and servers located at their respective sites, whcih can be 100's of different locations. Each of the servers is built with VMWare, so the DC for each site is inside a virtual machine. These Virtual DC's are all located in the DCOU, not the "field" OU's.
After looking at AD Sites and Services, I found that every DC controller is a separate site, reflecting their physical location in the field, so instead of 1 site, or just 4, we have 100's of sites.
Now for the question. Before we can do anything, we have to be given the proper Admin priveleges, which is in the works. But using the following from microsoft that Group Policy is processed from local, site, domain, and then OU and that the computer or user receives the policy settings fo the last AD container processed, that is, a policy appliced later overwrites policy appliced earlier, I need to know the following:
If you write a domain policy, then an OU policy, the OU policy would overwrite that policy since it is the last applied(assuming they are the same settings being applied)?
If you are the lowly computer user, which would be the local policy and have a site policy and domain policy and OU policy, then you potentially have 4 different policies that could conflict with each other?
I assume that all policy decisions need to be made as a group, the settings written down so that conflicit does not happen and of course tested in the TESTOU for damage and effect.
Should the policies be applied from the domain say for all common policies, then from the OU for local OU or regional policies, and then from the sites for just policies to affect a single site?
Should you create a different group for AD policies to implement rather than using the domain admins, thus removing potential policy overwrite problems?
Just curious, but why does the OU policy apply last, shouldn't it be local, site, OU, domain? What's the reason here?
Or did I miss the boat entirely and
Or is there a best practice(s) when applying these group policies that should be adhered to?
Any guidance is helpful before we jump into the fire with both feet and disaster happens!!