Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory - Group Policy Question

Posted on 2011-02-11
3
Medium Priority
?
395 Views
Last Modified: 2012-05-11
1.  Are local group policies applied differently than domain group policies in terms of which one takes precedence?  It is my understanding that the most specific GPO is takes precedence is that true for both local and domain?  

2.  Reading the 70-622 book it states that if I had a domain structure like the one below

Forest:  hq.contoso.com
OU: Accounting, Finance Human Resouces, IT etc
IT OU split into Desktops, Laptops, and Server OUs each with their own GPO

The order of precedence would be the in the following order

Local GPO
Default Domain Policy
IT GPO
IT Desktop GPO

Wouldn't the Local GPO be first then followed by the IT-Desktop GPOs, IT and finally Default Domain Policy...I thought it went most specific to most general.  

A bit confused because on page 107 it says Settings in lower-level GPOs override settings in higher GPOs but then they say domain GPOs override lower GPOs in the very next sentence.  

I am hoping someone out there has a simple way to think of this.  THanks

Aaron
0
Comment
Question by:AJJ36
3 Comments
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34870325
Domain GPOS will always overide local policy settings aslong as the machine is a member of the domain.

Also remeber enforce is also authorative.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 34870401
Part of your confusion might be the difference between application time and priority: note that GPOs that are processed later have a higher priority, since the settings from the GPOs that are applied later will overwrite the same settings that might come from "earlier" GPOs.
So in your list above, you're not listing the precedence/priority, you're listing the application order--the priority will be the reverse of that list.
GPOs are applied in the order "LSDOU":
Local Policies
Site GPOs
Domain GPOs
OU GPOs
For the OU GPOs in general: the "closer" the GPO is to the object in the AD path, the higher the priority.
0
 

Author Closing Comment

by:AJJ36
ID: 34877356
Thank you for the help
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question