Logo
programming4us
programming4us
programming4us
programming4us
Windows XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Elements of Group Policy (part 3)

3/8/2011 10:17:51 PM

Group Policy Inheritance

GPOs can be linked at the site, domain, and multiple OU levels. When an Active Directory infrastructure contains GPOs linked at the domain level, as an example, every container and OU beneath the domain root container inherits any linked policies. As a default example, the “Domain Controllers” OU inherits the default domain policy from the domain.

GPO inheritance allows administrators to set a common base policy across an Active Directory infrastructure while allowing other administrators to apply more granular policies at a lower level that apply to subsets of users or computers. As an example of this, a GPO can be created and linked at the domain level that restricts all users from running Windows Update, while an OU representing a branch office in the domain can have a GPO linked that enables the branch office desktop administrators security group to run Windows Update.

GPO links inherited from parent containers are processed before GPO links at the container itself, and the last applied policy setting value is the resulting value, if multiple GPOs have the same configured setting with different values. This Group Policy inheritance is also known as GPO precedence and is shown in Figure 3.

Figure 3. Examining Group Policy precedence.

Group Policy Block Inheritance

Just as GPOs can be inherited, Active Directory also provides the option to block inheritance, as shown in Figure 4, of all GPOs from parent containers. This is actually an option applied to an Active Directory domain or organizational unit within the Group Policy Management Console and not on a GPO. This option can be useful if the container contains users and/or computer objects that are very security sensitive or business critical. As an example of this option in use, an OU can be created to contain the Remote Desktop Services host systems, which would not function correctly if domain-level GPOs were applied. The OU can be configured to block inheritance to ensure that only the policies linked to the particular OU were applied. If GPOs need to be applied to this container, links would need to be created at that particular container level, or the GPO link from the parent container would need to be enforced, which would override the block inheritance setting.

Figure 4. Blocking GPO inheritance.

Group Policy Order of Processing

GPOs can be linked at many different levels and in many Active Directory infrastructures; multiple GPOs are linked at the same OU or domain level. This is a very common practice because this particular configuration follows a GPO best-practice recommendation, of creating separate GPOs for a particular set of functions. As GPOs are processed one at a time, the GPO links are processed in a particular order starting with GPOs inherited from parent containers followed by the order of policies that were linked to that container. The resulting impact of this processing order is that when multiple GPOs contain the same configured setting, the last GPO applied provides the resulting setting value. As an example of this, if two GPOs are linked at the domain level, named GPO1 and GPO2, and GPO1 has a configured setting of “Remove Task Manager” set to disabled and GPO2 has the same setting set to enabled, the end result is enabled for that setting. To fully understand what the end resulting policy will be in a container that has multiple GPOs linked and inherited, the Resultant Set of Policy tool should be run in Planning mode from the Active Directory Users and Computers console or Group Policy Modeling can be run from the GPMC console. Resultant Set of Policies will provide a console showing the final applied policy settings. Group Policy Modeling will go further and provide a report detailing which policies were applied, in which order the policies were applied, and the resulting policy settings. One easy way to understand this is to know that when looking at a particular Active Directory container in GPMC, the group policy link order and the group policy precedence order are processed from the highest number down. This means that the group policy that has a link order of 1 will always be processed last by objects within that container.

Other -----------------
- Windows Server 2008 R2 : Group Policies and Policy Management - Security Templates
- Windows Server 2008 R2 : Local Group Policies
- Windows Server 2008 R2 : Group Policy Processing—How Does It Work?
- Understanding DNS in Windows Server 2003 Networks
- Understanding Name Resolution in Windows Server 2003
- Windows Server 2008 R2 Administration : Managing Printers with the Print Management Console
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 3) - Troubleshooting Group Policy Applications
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 2) - Configuring and Optimizing Group Policy
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 1) - Viewing Policies with the Group Policy Management Console & Creating New Group Policies
- Windows Server 2008 R2 Administration : Creating Groups
 
 
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
 
programming4us
Women
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone