Active Directory - Group Policy=Enforced-NO

Craig Paulsen
Craig Paulsen used Ask the Experts™
on
Team, Can you good folk please give me an easy explanation that I can convey to a one the technical consultants for my client, what the "NO" in enforced actually entails (see attached), we know that this policy applies to all users in an OU called TIER 1 and is working
Many thanks
GPO-Enformed-NO.jpg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Joseph HornseyPresident and Janitor

Commented:
The default behavior of a GPO is to apply its settings.  Those settings are propagated down the hierarchy like NTFS permissions are.

However, you can block inheritance of a GPO which keeps settings from the parent from being applied.

The "Enforced" option tells the GPO to override that block and apply the settings anyway.

It is Microsoft's best practice to limit the use of overrides and blocks as much as possible.
Joseph HornseyPresident and Janitor

Commented:
Here's a good explanation of managing GP scope:

https://technet.microsoft.com/en-us/library/cc772166.aspx
Craig PaulsenSenior Systems Engineer

Author

Commented:
Thanks Joseph, so I'm my case enforced is set to no, but the policy is still applying, even I'm struggling to grasp this, let alone explain to another person
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

President and Janitor
Commented:
LOL.. yeah... it can get a little convoluted.

Let's say you have an OU hierarchy in your domain like this:

Domain       <----"Default Domain Policy" links here
     |__Human Resources
     |__Sales       <----"Sales Stuff" links here
              |__Managers
              |__Sales Reps
              |__Sales Admin


One of the GPOs you have is the Default Domain Policy GPO.  It is linked to the domain.  So every OU under the domain inherits the settings of the Default Domain Policy GPO.  Nobody has to enforce this; it's just how Group Policy works.

So, let's say that you need to create some settings for your sales department.  So you create a GPO called "Sales Stuff" and you link it to the Sales OU.  Once you do that, the settings in "Sales Stuff" is applied to everything in the Sales OU, including Managers, Sales Reps and Sales Admin and everything they contain.  Again, this is just how GP works.

Now, let's say you're a sales person and your account is in the "Sales Rep" OU.  When you log on, there are two GPOs that need to be applied to you:  Default Domain Policy and Sales Stuff.

When multiple GPOs are being applied, they are applied from the top down.  So, the first GPO applied is the Default Domain Policy and the second is the Sales Stuff.  (It's not quite like that, but close enough).

As each policy is applied, it will overwrite conflicting settings that previous policies applied.  So, in our example, let's say the DDP makes your desktop background blue.  But, let's say the SS policy says your desktop should be yellow.

Well, the first policy applied when you logon is the topmost policy.  That's the DDP.  So, it changes the setting on your computer to make the desktop background blue.  However, the SS policy is applied next and it changes the desktop background to yellow.

The end result is your desktop is yellow.

(Keep in mind, this only applies for configured settings which conflict with each other.  In this case, the desktop color.  But, if the DDP also dictated what kind of mouse pointer you had, and that wasn't specified in the SS policy, the DDP settings would be there because they didn't get overwritten by the SS GPO, so they would apply.)

Well, the CEO will have none of that!  By God, those desktops are going to be blue, or some heads are going to roll!

No problem.  We now select "Enforced" on the DDP and the SS policy can no longer overwrite DDP settings.  So, when you log on, any setting the SS policy would have overwritten, including the desktop color, are kept intact.  So, your desktop is blue.

Does that make sense?
Craig PaulsenSenior Systems Engineer

Author

Commented:
Thanks mate, appreciate the time taken to detail that
Craig PaulsenSenior Systems Engineer

Author

Commented:
Thanks heaps mate
Joseph HornseyPresident and Janitor

Commented:
My pleasure!

Like I said, that stuff can get pretty convoluted pretty quickly.

Glad I could be of help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial