A GPO is a collection of Group Policy settings that are essentially the files created by the Group Policy snap-in. The settings are stored at the domain level and affect users and computers contained in sites, domains, and OUs.
You can use GPOs to ensure that specific policy settings, user rights, and computer behavior apply to all client computers or users in an OU. Using Group Policy instead of a manual configuration process makes it simple to manage and update changes for many computers and users. Manual configuration, which is inefficient because it requires a technician to visit each client computer, is also potentially ineffective. This is primarily because if the policy settings in domain-based GPOs are different than those applied locally, the domain-based GPO policy settings will overwrite the locally applied policy settings.
Figure 1.2 GPO order of precedence
The previous figure shows the order of precedence in which GPOs are applied to a computer that is a member of the Child OU, from the lowest priority (1) to the highest priority (5). Group Policy is applied first from the local security policy of each workstation. After the local security policy is applied, GPOs are next applied at the site level, and then at the domain level.
For computers running Windows Server 2008, Windows Server 2003 SP2 or later, and Windows Vista SP1 or Windows XP Professional SP3 or later that are nested in several OU layers, GPOs are applied in order from the parent OU level in the hierarchy to the lowest child OU level. The final GPO is applied from the OU that contains the computer account. This order of GPO processing for Group Policy—local security policy, site, domain, parent OU, and child OU—is significant because settings in GPOs that are applied later in the process will overwrite settings applied earlier. Different values for the same setting configured in different GPOs are never combined. User GPOs are applied in the same manner.
The following considerations apply when you design Group Policy:
An administrator must set the order in which you link multiple GPOs to an OU, or Group Policy will be applied by default in the order it was linked to the OU, the order of precedence for the GPOs linked to the currently selected OU is shown in the Link Order list in the GPMC. If the same setting is configured in multiple policies, the policy that is highest on the policy list for the container will take precedence.
You may configure a GPO with the Enforced option. However, if you select this option, other GPOs cannot override the settings that are configured in this GPO.
Group Policy settings apply to users and computers, and are based on where the user or computer object is located in AD DS. In some cases, user objects may need policy applied to them based on the location of the computer object, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply user Group Policy settings based on which computer the user is logged on to. The "Loopback Processing of Group Policy" article provides more information about this option.
You may configure an Active Directory site, domain, or OU with the Block policy inheritance option. This option blocks GPO settings from GPOs that are higher in the Active Directory hierarchy unless they have the Enforced option selected. In other words, the Enforced option has precedence over the Block policy inheritance option.
Note Administrators should only use the Enforced option and the Block policy inheritance option with utmost care because enabling these options can make troubleshooting GPOs difficult and cumbersome.
|
