Friday, December 03, 2004

Group Policy Inheritance and Scope

Group Policy is pretty well defined, its so defined that it can be predicted in all cases, unfortunately there are so many different ways things can occur that prediction can get complicated if you complicate your GP settings.

I'm going to share the inheritance model with you.

The best way to think about it, is the closest policy to the object (user or computer) will take precidence. So OU Policies superceed Site Policies, which superseed Domain Policies. There are some exceptions to this rule, they are:

  • The local computer policy is always overrun by any other policy

  • If the policy prevents overruling (ie it's enforced), then it will superseed any policy below it. Although doing this will make it harder to debug what's going on, especially in an SBS environment, it's not really needed

Keep in mind that a GPO only makes changes to the objects that are in it's container.

Another thing to keep in mind is the link order. At each leve (Domain/Site/OU) each Policy has a link order. GPOs are processed in the number of their link order. i.e. link 1 is first, link 2 is 2nd etc.

Finally, Inside a Group Policy, the Computer side of the GPO is processed before the User side, so if you make a change in either side, the Computer side will take precidence over the user side. This one is handy to know if you've got roaming users inside your network.