By default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container. Group Policy objects are processed according to the following order:
The local Group Policy object (LPGO) is applied (See Local Group Policy section for details).
GPOs linked to sites.
GPOs linked to domains
GPOs linked to organizational units (OUs). In the case of nested OUs, GPOs associated with parent OUs are processed prior to GPOs associated with child OUs.
This order of GPO processing – local, site, domain, OU – is significant because policy applied later overwrites policy applied earlier.
You can enforce the Group Policy settings in a specific Group Policy object by using the No Override option so that GPOs in lower-level Active Directory containers are prevented from overriding that policy. For example, if you have defined a specific GPO at the domain level and specified the No Override option, the policies that the GPO contains apply to all OUs under that domain; that is, the lower-level containers (OUs) cannot override that domain Group Policy.
You can also block inheritance of Group Policy from parent Active Directory containers by using the Block policy inheritance option. For example, if you specify the Block policy inheritance option for an OU, this prevents policy in higher-level Active Directory containers (such as a higher-level OU or domain) from applying. However, No Override policy options always take precedence.
Figure 1 below shows a sample domain structure to illustrate how Group Policy objects can be applied to containers in the Active Directory.
F
igure 2. Group Policy and the Active Directory
|
