Managing inheritance of Group Policy
To apply the settings of a Group Policy object (GPO) to the
users and computers of a domain, site, or organizational unit, you can
link that domain site or organizational unit to that GPO. You can add
one or more GPO links to each domain, site, and organizational unit in
Group Policy Management Console. The settings deployed by GPOs linked to
higher containers (parent container) in Active Directory are inherited
by default to child containers and combine with any settings deployed in
GPOs linked to child containers. If multiple GPOs attempt to set a
setting to conflicting values, the GPO with the highest precedence sets
the setting. GPO processing is based on a last writer wins model, and
GPOs that are processed later have precedence over GPOs that are
processed sooner. Group Policy objects are processed according to the
following order:
You can view the precedence order of GPOs for a given site, domain or organizational unit by navigating to the Group Policy Inheritance tab for any site, domain, or organizational unit. Note that when looking on the Group Policy Inheritance tab for a domain or organizational unit, GPOs linked to sites are not shown. This is the specific site that a computer is in is not known ahead of time. Also, when viewing a site, the only difference between the Group Policy Inheritance tab and the Linked Group Policy Objects tab is that the former takes into account the enforcement (described below) attribute.
For more background information about GPO link processing and precedence, including the default order for processing, see Group Policy processing and precedence.
You can further control precedence and how GPO links are applied to specific domains, sites, or organizational units by doing the following:
-
The local Group Policy object (LPGO) is applied.
-
GPOs linked to sites.
-
GPOs linked to domains
-
GPOs linked to organizational units. In the case of nested
organizational units, GPOs associated with parent organizational units
are processed prior to GPOs associated with child organizational units.
You can view the precedence order of GPOs for a given site, domain or organizational unit by navigating to the Group Policy Inheritance tab for any site, domain, or organizational unit. Note that when looking on the Group Policy Inheritance tab for a domain or organizational unit, GPOs linked to sites are not shown. This is the specific site that a computer is in is not known ahead of time. Also, when viewing a site, the only difference between the Group Policy Inheritance tab and the Linked Group Policy Objects tab is that the former takes into account the enforcement (described below) attribute.
For more background information about GPO link processing and precedence, including the default order for processing, see Group Policy processing and precedence.
You can further control precedence and how GPO links are applied to specific domains, sites, or organizational units by doing the following:
Changing the link order
Within each domain, site, and organizational unit, the
link order controls when links are applied. To change the precedence of a
link, you can change the link order, moving each link up or down in the
list to the appropriate location. The link with the higher order (with 1
being the highest order) has the higher precedence for a given site,
domain, or organizational unit. For example, if you add six GPO links
and later decide that you want the last one that you added to have
highest precedence, you can move the GPO link to the top of the list.
Blocking Group Policy inheritance
You can block policy inheritance for a domain or
organizational unit. Using block inheritance prevents GPOs linked to
higher sites, domains, or organizational units from being automatically
inherited by the child-level. By default, children inherit all GPOs from
the parent, but it is sometimes useful to block inheritance. For
example, if you want to apply a single set of policies to an entire
domain except for one organizational unit, you can link the required
GPOs at the domain level (from which all organizational units inherit
policies by default), and then block inheritance only on the
organizational unit to which the policies should not be applied.
Enforcing a GPO link
You can specify that the settings in a GPO link should
take precedence over the settings of any child object by setting that
link to Enforced. GPO-links that are enforced cannot be blocked from the
parent container. Without enforcement from above, the settings of the
GPO links at the higher level (parent) are overwritten by settings in
GPOs linked to child organizational units, if the GPOs contain
conflicting settings. With enforcement, the parent GPO link always has
precedence. By default, GPO links are not enforced. In tools prior to
GPMC, "enforced" was known as "No override."
Disabling a GPO link
By default, processing is enabled for all GPO links. You
can completely block the application of a GPO for a given site, domain,
or organizational unit by disabling the GPO link for that domain, site,
or organizational unit. Note that this does not disable the GPO itself,
and if the GPO is linked to other sites, domains or organizational
units, they will continue to process the GPO, if their links are
enabled.
For more information about these tasks, see Control Group Policy Object Scope.
Important
For more information about these tasks, see Control Group Policy Object Scope.
Important
-
GPO links set to enforce (no override) cannot be blocked.
-
The enforce and block inheritance options should be used sparingly.
Casual use of these advanced features complicates troubleshooting.
No comments:
Post a Comment