Group Policies - To enforce or not to enforce

I'm still relatively new to group policies and they don't seem very dependable to me. I can't tell when they roll out and I'm not sure how to effectively use gpupdate. Here are a few specific questions.

1. If I have OUs inside other OUs then they should inherit policies from parent OUs correct?
2. Is linking the policy sufficient or should I enforce the policy also?
3. How do I use gpupdate to ensure the policy changes take effect immediately?
4. Should gpupdate be run on the DC or on the workstations being affected by the policy?
5. Should I use the security filtering? If so, how?
LVL 22
Russ SuterAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
1. Yes, unless inheritence is blocked (It's recommended to avoid blocking inheritence)
2. Linking it is usually sufficient. Be aware that User Configuration Settings will only affect Users in the OU you link it to (Unless you use Loopback Policy Processing. Google that for more info) and any child OUs. Same with Computer Configuration Settings, they only affect Computer Objects.
3. Run GPUpdate/force on the computers that you are setting the policy for. Note that if you don't do this, the policy will be applied on Reboot for computer configuration settings and on logon for user configuration settings.
4. It should be run on the systems that the policy is being applied to (or by a user the policy is applied to).
5. Security filtering is used to limit the systems and users that the policy will be applied to. If you want a policy applied to a specific group of users/computers but not all, you can use security filtering to limit the policy to a specific group of users/computers.

A couple other notes, Enforcing a policy will cause it to bypass an Inheritence block and it will force the policy to take precedence over all other policies. Use it sparingly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Neil RussellTechnical Development LeadCommented:
"3. Run GPUpdate/force on the computers that you are setting the policy for. Note that if you don't do this, the policy will be applied on Reboot for computer configuration settings and on logon for user configuration settings."

Some user policies will apply at the next group policy refresh interval (90 mins by default) without you having to do anything at all at the workstation. No reboot, no logoff/on, no gpupdate (/force or not).

BUT.....

Some policies will actually require your to reboot, log in, log off and reboot and log in again before they will be efective.

Dont ask what ones are in what scenario! Its a long list lol

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.