Solved

Question on GPOs

Posted on 2009-04-07
6
228 Views
Last Modified: 2012-05-06
Hi All

We are running Windows 2003 functional level AD.

I have an OU - kam.com\UK\Test Servers

This has two GPO's applied to it - GPO1 and GPO2.

If I look at the OU in GPMC, then the link order is:

1. GPO1
2. GPO2

Both are set to Enforced = No
Link Enabled = No

Couple of questions;

a) I assume this means the order the GPO will be applied in is GPO1 and then GPO2? If there is a conflicting setting, which one takes precedence?

b) What do ENFORCED and LINK ENABLED mean in this instance?

Any help appreciated!

0
Comment
Question by:kam_uk
  • 3
  • 2
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 300 total points
ID: 24089357
a)  GPO2 will be applied first then GPO1, it goes from bottom to top in GPMC.  GPO1 will take precedence.   Another good way to see what policies are set is to run an RSoP report from Group Policy Management Console (GPMC)
 
b)  Enforced means that the policy at the lower level won't win. (it won't be overwritten) So lets say you had a domain level group policy with "enforced"  That policy will win.  In the old days this setting was reffered to as "no override"
http://technet.microsoft.com/en-us/library/cc978255.aspx
Link enabled means that the Group Policy is linked to the OU.  So the policy will apply to that OU if link enabled is set.  If it is not set like what you have then it won't apply the objects in that OU.
 
THanks
Mike


0
 
LVL 3

Author Comment

by:kam_uk
ID: 24089470
Hi Mike,

Thanks for answeing...I have enabled by GPO's! :)

Out of interest, what would be the advantage of setting 'No' to link enabled?

Thank
0
 
LVL 25

Assisted Solution

by:Ron M
Ron M earned 200 total points
ID: 24089596
mkline is correct...
http://technet.microsoft.com/en-us/library/cc757050.aspx#BKMK_block

just want to add one more thing...

There are also LOCAL, SITE, and DOMAIN policy objects.  Each policy as it is applied overrides the previous policy unless the previous policy is set to "enforced".  If both are set to enforced, then conclicting policy will be overrided by the policy applied last.  You can also "block inheirtance"... which would mean that a domain policy wouldn't be inherited downlevel on a particular OU unless it was set to enforced.

Here is the order in which policies are applied..
Local policy
Site Policy
Domain Policy
OU Policy

If an OU policy is set to ENFORCED, it will override previous conflicting policy settings...including a domain policy that is set to enforced.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 24089682
Good point XuserX
...LSDOU is also a really good thing to remember for interviews :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24089724
So here is an example where I set link enabled to "no"
We wanted to delete a bunch of GPO's before deletion I first set link enable to no for a few days just to be positive removing the GPO would be ok.
...usually we don't use it though.
Thanks
Mike
0
 
LVL 25

Expert Comment

by:Ron M
ID: 24089901
Here's an example of having a GPO link disabled.

I actually have a GPO object that I use in "emergency" situations...for example.. If my entire network was infected with a virus... I apply the GPO which puts a whole bunch of security restrictions on the pc's and has logon/logoff scripts that run a command line virus scanner...it locks down everthing.  Of course this policy is link disabled,..and I would only apply it in an emergency situation where I want to hinder the spread of a virus quickly.  Once my policy is enabled, I run a script on remote machines that runs... GPUPDATE /FORCE so that the policy is applied immediately without waiting for gp refresh.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now