Active Directory - Group Policy=Enforced-NO

Team, Can you good folk please give me an easy explanation that I can convey to a one the technical consultants for my client, what the "NO" in enforced actually entails (see attached), we know that this policy applies to all users in an OU called TIER 1 and is working
Many thanks
GPO-Enformed-NO.jpg
Craig PaulsenSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph HornseyPresident and JanitorCommented:
The default behavior of a GPO is to apply its settings.  Those settings are propagated down the hierarchy like NTFS permissions are.

However, you can block inheritance of a GPO which keeps settings from the parent from being applied.

The "Enforced" option tells the GPO to override that block and apply the settings anyway.

It is Microsoft's best practice to limit the use of overrides and blocks as much as possible.
Joseph HornseyPresident and JanitorCommented:
Here's a good explanation of managing GP scope:

https://technet.microsoft.com/en-us/library/cc772166.aspx
Craig PaulsenSenior Systems EngineerAuthor Commented:
Thanks Joseph, so I'm my case enforced is set to no, but the policy is still applying, even I'm struggling to grasp this, let alone explain to another person
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Joseph HornseyPresident and JanitorCommented:
LOL.. yeah... it can get a little convoluted.

Let's say you have an OU hierarchy in your domain like this:

Domain       <----"Default Domain Policy" links here
     |__Human Resources
     |__Sales       <----"Sales Stuff" links here
              |__Managers
              |__Sales Reps
              |__Sales Admin


One of the GPOs you have is the Default Domain Policy GPO.  It is linked to the domain.  So every OU under the domain inherits the settings of the Default Domain Policy GPO.  Nobody has to enforce this; it's just how Group Policy works.

So, let's say that you need to create some settings for your sales department.  So you create a GPO called "Sales Stuff" and you link it to the Sales OU.  Once you do that, the settings in "Sales Stuff" is applied to everything in the Sales OU, including Managers, Sales Reps and Sales Admin and everything they contain.  Again, this is just how GP works.

Now, let's say you're a sales person and your account is in the "Sales Rep" OU.  When you log on, there are two GPOs that need to be applied to you:  Default Domain Policy and Sales Stuff.

When multiple GPOs are being applied, they are applied from the top down.  So, the first GPO applied is the Default Domain Policy and the second is the Sales Stuff.  (It's not quite like that, but close enough).

As each policy is applied, it will overwrite conflicting settings that previous policies applied.  So, in our example, let's say the DDP makes your desktop background blue.  But, let's say the SS policy says your desktop should be yellow.

Well, the first policy applied when you logon is the topmost policy.  That's the DDP.  So, it changes the setting on your computer to make the desktop background blue.  However, the SS policy is applied next and it changes the desktop background to yellow.

The end result is your desktop is yellow.

(Keep in mind, this only applies for configured settings which conflict with each other.  In this case, the desktop color.  But, if the DDP also dictated what kind of mouse pointer you had, and that wasn't specified in the SS policy, the DDP settings would be there because they didn't get overwritten by the SS GPO, so they would apply.)

Well, the CEO will have none of that!  By God, those desktops are going to be blue, or some heads are going to roll!

No problem.  We now select "Enforced" on the DDP and the SS policy can no longer overwrite DDP settings.  So, when you log on, any setting the SS policy would have overwritten, including the desktop color, are kept intact.  So, your desktop is blue.

Does that make sense?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig PaulsenSenior Systems EngineerAuthor Commented:
Thanks mate, appreciate the time taken to detail that
Craig PaulsenSenior Systems EngineerAuthor Commented:
Thanks heaps mate
Joseph HornseyPresident and JanitorCommented:
My pleasure!

Like I said, that stuff can get pretty convoluted pretty quickly.

Glad I could be of help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.