8. Group Policy Link Enforcement
Microsoft provides administrators with many
ways to manage their infrastructure, including forcing configurations
down from the top. GPO link “enforcement,” historically known as No
Override, is an option of a GPO link that can be set to ensure that the
settings in a particular policy will be applied and maintained even if
another GPO has the same setting configured with a different value. GPO
link enforcement is shown in Figure 2.
Figure 2. Group policy link enforcement.
Because this might result in undesired
functionality or a different level of security than what is required to
run a particular service or application or manage a system, exercise
caution when using this function. Before enabling GPO enforcement on any
policy, carefully research and test to ensure that this will not break
any functionality or violate an organization’s IT or regulatory policy.
9. Group Policy Inheritance
GPOs can be linked at the site, domain, and
multiple OU levels. When an Active Directory infrastructure contains
GPOs linked at the domain level, for example, every container and OU
beneath the domain root container inherits any linked policies. As a
default example, the Domain Controllers OU inherits the default domain
policy from the domain.
GPO inheritance enables
administrators to set a common base policy across an Active Directory
infrastructure while allowing other administrators to apply more
granular policies at a lower level that apply to subsets of users or
computers. As an example of this, a GPO can be created and linked at the
domain level that restricts all users from running Windows Update,
while an OU representing a branch office in the domain can have a GPO
linked that enables the branch office desktop administrators security
group to run Windows Update.
GPO links inherited from parent containers are
processed before GPO links at the container itself, and the last
applied policy setting value is the resulting value, if multiple GPOs
have the same configured setting with different values. This Group
Policy inheritance is also known as GPO precedence, and is shown in Figure 3.
Figure 3. Group Policy inheritance.
One important point to note: Group Policy
processing will start with the highest number in the precedence order
and the policy with the precedence of 1 will be processed last to ensure
that the settings in that policy are applied and not overwritten. In
the example shown in Figure 3, the enforced policy from the domain is processed last.
10. Group Policy Block Inheritance
Just as GPOs can be inherited, Active Directory also provides the option to block inheritance, as shown in Figure 4, of all GPOs from parent containers. Figure 4 should be compared to Figure 3
to show which policies are no longer blocked, but the parent policy
that is enforced is still allowed. So, administrators who are granted
the rights to manage group policy links on particular organizational
units may decide to block inheritance, but if policies are enforced at a parent organizational unit or the domain, they will still be applied.
Figure 5. Group Policy Block Inheritance.
Block Inheritance is actually an option
applied to an Active Directory domain or organizational unit within the
Group Policy Management Console and not on an actual policy. The Block
Inheritance option can be useful if the container contains
users/computer objects that are very security sensitive or business
critical. As an example of this option in use, an OU can be created to
contain the Remote Desktop Services host systems, which would not
function correctly if domain-level GPOs were applied. The OU can be
configured to block inheritance to ensure that only the policies linked
to the particular OU were applied. If GPOs need to be applied to this
container, links would need to be created at that particular container
level, or the GPO link from the parent container would need to be
enforced, which would override the Block Inheritance setting, as shown
in Figure 4.
