Information Technology Reference
In-Depth Information
on these requirements, you could create a GPO for members of the Sales department and
another for members of the Engineering department. Then you could apply the GPOs to the
OU for each department. Another important concept you need to understand is that Group
Policy settings are hierarchical; that is, system administrators can apply Group Policy
settings at four different levels. These levels determine the GPO processing priority.
Local
Every Windows operating system computer has one Group Policy object that is
stored locally. This GPO functions for both the computer and user Group Policy processing.
Sites
At the highest level, system administrators can configure GPOs to apply to entire
sites within an Active Directory environment. These settings apply to all of the domains
and servers that are part of a site. Group Policy settings managed at the site level may apply
to more than one domain within the same forest. Therefore, they are useful when you want
to make settings that apply to all of the domains within an Active Directory tree or forest.
Domains
Domains are the third level to which system administrators can assign GPOs.
GPO settings placed at the domain level will apply to all of the User and Computer objects
within the domain. Usually, system administrators make master settings at the domain level.
Organizational Units
The most granular level of settings for GPOs is the OU level. By
configuring Group Policy options for OUs, system administrators can take advantage of the
hierarchical structure of Active Directory. If the OU structure is planned well, you will find
it easy to make logical GPO assignments for various business units at the OU level.
Based on the business need and the organization of the Active Directory environment,
system administrators might decide to set up Group Policy settings at any of these four
levels. Because the settings are cumulative by default, a User object might receive policy
settings from the site level, from the domain level, and from the OUs in which it is contained.
You can also apply Group Policy settings to the local computer (in which
case Active Directory is not used at all), but this limits the manageability of
the Group Policy settings.
Group Policy Inheritance
In most cases, Group Policy settings are cumulative. For example, a GPO at the domain
level might specify that all users within the domain must change their password every 60
days, and a GPO at the OU level might specify the default desktop background for all users
and computers within that OU. In this case, both settings apply, so users within the OU are
forced to change their password every 60 days and have the default Desktop setting.
What happens if there's a conflict in the settings? For example, suppose you create a
scenario where a GPO at the site level specifies that users are to use red wallpaper and
another GPO at the OU level specifies that they must use green wallpaper. The users at
the OU layer would have green wallpaper by default. Although hypothetical, this raises an
important point about
inheritance
. By default, the settings at the most specific level (in this
case, the OU that contains the User object) override those at more general levels. As a friend
of mine from Microsoft always says, “Last one to apply wins.”
Search WWH ::
Custom Search