Group Policy Inheritance

Group Policy can be applied to users and computers at a site, domain, or OU. GPOs from parent containers are inherited by default. When multiple GPOs apply to these users and computers, the settings in the GPOs are aggregated. For most policy settings, the final value of a given policy setting is set only by the highest precedent GPO that contains that setting. (However, the final value for a few settings will actually be the combination of values across GPOs.) Precedence of GPOs determined by the order of processing for the GPOs. GPOs processed last have highest precedence. GPOs follow the SDOU rule for processing; site first, then domain and followed by OU including nested OUs. A nested OU is one that has another OU as its parent. In the case of nested OUs, GPOs associated with parent OUs are processed prior to GPOs associated with child OUs. In this processing order, sites are applied first but have the least precedence. OUs are processed last and have the highest precedence.

There are several Group Policy options that can alter this default inheritance behavior. These options include:

Link Order – the precedence order for GPOs linked to a given container. The GPO link with Link Order of 1 has highest precedence on that container.

Block Inheritance – the ability to prevent an OU or domain from inheriting GPOs from any of its parent container. Note that Enforced GPO links will always be inherited.

Enforcement – (previously known as “No Override”) the ability to specify that a GPO should take precedence over any GPOs that are linked to child containers. Enforcing a GPO link works by moving that GPO to the end of the processing order.

Link Status – determines if a given GPO link is processed or not for the container to which it is linked.
These items are described in more detail below.

If multiple GPOs are linked to the same container and have settings in common, there must be a mechanism for reconciling the settings. This behavior is controlled by the link order. The lower the link order number, the higher the precedence. Information about the links for a given container are shown on the Linked Group Policy Objects tab of a given container, as in Figure 8. This pane shows if the link is enforced, if the link is enabled, the status of the GPO, if a WMI Filter is applied, when it was modified, and the domain container where it is stored. An administrator or users that have been delegated permissions to link GPOs to the container can change the link order by highlighting a GPO link and using the up and down arrows to move the link higher or lower in the link order list.



GPOs are inherited from parent containers. For example, a GPO linked to an OU will be inherited by child OUs. The Group Policy Inheritance tab for a given container shows all GPOs (except for GPOs linked to sites) that would be inherited from parent containers, as shown in Figure 9. The precedence column on this tab shows the overall precedence for all the links that would be applied to objects in that container, taking into account both Link Order and the Enforcement attribute of each link, as well as Block Inheritance on any SOMs. Note that the Group Policy Inheritance tab does NOT show the impact of GPOs linked to sites, because it is not possible to determine which site would apply, unless a particular target computer is identified.

It is possible to prevent containers from inheriting GPOs linked to parent containers by blocking the inheritance on the OU or domain. Blocking inheritance on a container will prevent all GPOs from parent containers from applying to the blocked container, except for GPOs that are marked as Enforced. Administrators can right-click the domain or OU and select Block Inheritance from the context menu to set GPO blocking on the container. If inheritance is blocked for an OU or domain, its icon will appear with a blue exclamation mark in the console tree.

An administrator can prevent the settings in a GPO linked to a container from being overwritten by settings linked to GPOs in child containers (which normally would have higher precedence) by setting the GPO link to Enforced (formerly known as No Override). This also will prevent the GPO link from being blocked at containers that have been set to Block Inheritance. GPO-links that are enforced appear with a gray padlock icon in both the console tree and in the details pane.

A GPO link can be set to Enabled to allow it to be processed. If the link is not set to Enabled, processing of the linked GPO is disabled. The GPO link can be either enabled or disabled by right-clicking the link and selecting the Link Enabled option. A check beside this option indicates that the link is enabled and will be processed.

0 comments: