I'm going to share the inheritance model with you.
The best way to think about it, is the closest policy to the object (user or computer) will take precidence. So OU Policies superceed Site Policies, which superseed Domain Policies. There are some exceptions to this rule, they are:
- The local computer policy is always overrun by any other policy
- If the policy prevents overruling (ie it's enforced), then it will superseed any policy below it. Although doing this will make it harder to debug what's going on, especially in an SBS environment, it's not really needed
Keep in mind that a GPO only makes changes to the objects that are in it's container.
Another thing to keep in mind is the link order. At each leve (Domain/Site/OU) each Policy has a link order. GPOs are processed in the number of their link order. i.e. link 1 is first, link 2 is 2nd etc.
Finally, Inside a Group Policy, the Computer side of the GPO is processed before the User side, so if you make a change in either side, the Computer side will take precidence over the user side. This one is handy to know if you've got roaming users inside your network.
0 comments:
Post a Comment