Group Policies - To enforce or not to enforce

I'm still relatively new to group policies and they don't seem very dependable to me. I can't tell when they roll out and I'm not sure how to effectively use gpupdate. Here are a few specific questions.

1. If I have OUs inside other OUs then they should inherit policies from parent OUs correct?
2. Is linking the policy sufficient or should I enforce the policy also?
3. How do I use gpupdate to ensure the policy changes take effect immediately?
4. Should gpupdate be run on the DC or on the workstations being affected by the policy?
5. Should I use the security filtering? If so, how?
LVL 20
Russ SuterAsked:
Who is Participating?
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
1. Yes, unless inheritence is blocked (It's recommended to avoid blocking inheritence)
2. Linking it is usually sufficient. Be aware that User Configuration Settings will only affect Users in the OU you link it to (Unless you use Loopback Policy Processing. Google that for more info) and any child OUs. Same with Computer Configuration Settings, they only affect Computer Objects.
3. Run GPUpdate/force on the computers that you are setting the policy for. Note that if you don't do this, the policy will be applied on Reboot for computer configuration settings and on logon for user configuration settings.
4. It should be run on the systems that the policy is being applied to (or by a user the policy is applied to).
5. Security filtering is used to limit the systems and users that the policy will be applied to. If you want a policy applied to a specific group of users/computers but not all, you can use security filtering to limit the policy to a specific group of users/computers.

A couple other notes, Enforcing a policy will cause it to bypass an Inheritence block and it will force the policy to take precedence over all other policies. Use it sparingly.
0
 
Neil RussellTechnical Development LeadCommented:
"3. Run GPUpdate/force on the computers that you are setting the policy for. Note that if you don't do this, the policy will be applied on Reboot for computer configuration settings and on logon for user configuration settings."

Some user policies will apply at the next group policy refresh interval (90 mins by default) without you having to do anything at all at the workstation. No reboot, no logoff/on, no gpupdate (/force or not).

BUT.....

Some policies will actually require your to reboot, log in, log off and reboot and log in again before they will be efective.

Dont ask what ones are in what scenario! Its a long list lol

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.