Tuesday, August 12, 2014

Managing inheritance of Group Policy

Managing inheritance of Group Policy

To apply the settings of a Group Policy object (GPO) to the users and computers of a domain, site, or organizational unit, you can link that domain site or organizational unit to that GPO. You can add one or more GPO links to each domain, site, and organizational unit in Group Policy Management Console. The settings deployed by GPOs linked to higher containers (parent container) in Active Directory are inherited by default to child containers and combine with any settings deployed in GPOs linked to child containers. If multiple GPOs attempt to set a setting to conflicting values, the GPO with the highest precedence sets the setting. GPO processing is based on a last writer wins model, and GPOs that are processed later have precedence over GPOs that are processed sooner. Group Policy objects are processed according to the following order:
  1. The local Group Policy object (LPGO) is applied.
  2. GPOs linked to sites.
  3. GPOs linked to domains
  4. GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with parent organizational units are processed prior to GPOs associated with child organizational units.
Links to a specific site, domain, or organizational unit are applied in reverse sequence based on link order. For example, a GPO with Link Order 1 has highest precedence over other GPOs linked to that container.
You can view the precedence order of GPOs for a given site, domain or organizational unit by navigating to the Group Policy Inheritance tab for any site, domain, or organizational unit. Note that when looking on the Group Policy Inheritance tab for a domain or organizational unit, GPOs linked to sites are not shown. This is the specific site that a computer is in is not known ahead of time. Also, when viewing a site, the only difference between the Group Policy Inheritance tab and the Linked Group Policy Objects tab is that the former takes into account the enforcement (described below) attribute.
For more background information about GPO link processing and precedence, including the default order for processing, see Group Policy processing and precedence.
You can further control precedence and how GPO links are applied to specific domains, sites, or organizational units by doing the following:

Changing the link order

Within each domain, site, and organizational unit, the link order controls when links are applied. To change the precedence of a link, you can change the link order, moving each link up or down in the list to the appropriate location. The link with the higher order (with 1 being the highest order) has the higher precedence for a given site, domain, or organizational unit. For example, if you add six GPO links and later decide that you want the last one that you added to have highest precedence, you can move the GPO link to the top of the list.

Blocking Group Policy inheritance

You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default), and then block inheritance only on the organizational unit to which the policies should not be applied.

Enforcing a GPO link

You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not enforced. In tools prior to GPMC, "enforced" was known as "No override."

Disabling a GPO link

By default, processing is enabled for all GPO links. You can completely block the application of a GPO for a given site, domain, or organizational unit by disabling the GPO link for that domain, site, or organizational unit. Note that this does not disable the GPO itself, and if the GPO is linked to other sites, domains or organizational units, they will continue to process the GPO, if their links are enabled.
For more information about these tasks, see Control Group Policy Object Scope.
Important
  • GPO links set to enforce (no override) cannot be blocked.
  • The enforce and block inheritance options should be used sparingly. Casual use of these advanced features complicates troubleshooting.
In addition to using GPO links to apply policies, you can also control how GPOs are applied by using security filters or WMI filters.

See Also


No comments:

Post a Comment