Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Question on GPOs

Posted on 2009-04-07
6
Medium Priority
?
244 Views
Last Modified: 2012-05-06
Hi All

We are running Windows 2003 functional level AD.

I have an OU - kam.com\UK\Test Servers

This has two GPO's applied to it - GPO1 and GPO2.

If I look at the OU in GPMC, then the link order is:

1. GPO1
2. GPO2

Both are set to Enforced = No
Link Enabled = No

Couple of questions;

a) I assume this means the order the GPO will be applied in is GPO1 and then GPO2? If there is a conflicting setting, which one takes precedence?

b) What do ENFORCED and LINK ENABLED mean in this instance?

Any help appreciated!

0
Comment
Question by:kam_uk
  • 3
  • 2
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1200 total points
ID: 24089357
a)  GPO2 will be applied first then GPO1, it goes from bottom to top in GPMC.  GPO1 will take precedence.   Another good way to see what policies are set is to run an RSoP report from Group Policy Management Console (GPMC)
 
b)  Enforced means that the policy at the lower level won't win. (it won't be overwritten) So lets say you had a domain level group policy with "enforced"  That policy will win.  In the old days this setting was reffered to as "no override"
http://technet.microsoft.com/en-us/library/cc978255.aspx
Link enabled means that the Group Policy is linked to the OU.  So the policy will apply to that OU if link enabled is set.  If it is not set like what you have then it won't apply the objects in that OU.
 
THanks
Mike


0
 
LVL 3

Author Comment

by:kam_uk
ID: 24089470
Hi Mike,

Thanks for answeing...I have enabled by GPO's! :)

Out of interest, what would be the advantage of setting 'No' to link enabled?

Thank
0
 
LVL 25

Assisted Solution

by:Ron Malmstead
Ron Malmstead earned 800 total points
ID: 24089596
mkline is correct...
http://technet.microsoft.com/en-us/library/cc757050.aspx#BKMK_block

just want to add one more thing...

There are also LOCAL, SITE, and DOMAIN policy objects.  Each policy as it is applied overrides the previous policy unless the previous policy is set to "enforced".  If both are set to enforced, then conclicting policy will be overrided by the policy applied last.  You can also "block inheirtance"... which would mean that a domain policy wouldn't be inherited downlevel on a particular OU unless it was set to enforced.

Here is the order in which policies are applied..
Local policy
Site Policy
Domain Policy
OU Policy

If an OU policy is set to ENFORCED, it will override previous conflicting policy settings...including a domain policy that is set to enforced.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 24089682
Good point XuserX
...LSDOU is also a really good thing to remember for interviews :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24089724
So here is an example where I set link enabled to "no"
We wanted to delete a bunch of GPO's before deletion I first set link enable to no for a few days just to be positive removing the GPO would be ok.
...usually we don't use it though.
Thanks
Mike
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24089901
Here's an example of having a GPO link disabled.

I actually have a GPO object that I use in "emergency" situations...for example.. If my entire network was infected with a virus... I apply the GPO which puts a whole bunch of security restrictions on the pc's and has logon/logoff scripts that run a command line virus scanner...it locks down everthing.  Of course this policy is link disabled,..and I would only apply it in an emergency situation where I want to hinder the spread of a virus quickly.  Once my policy is enabled, I run a script on remote machines that runs... GPUPDATE /FORCE so that the policy is applied immediately without waiting for gp refresh.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question