Information Technology Reference
In-Depth Information
Although the default behavior is for settings to be cumulative and inherited, system
administrators can modify this behavior. They can set two main options at the various
levels to which GPOs might apply.
Block Policy Inheritance
The
Block Policy Inheritance
option specifies that Group Policy
settings for an object are not inherited from its parents. You might use this, for example,
when a child OU requires completely different settings from a parent OU. Note, however,
that you should manage blocking policy inheritance carefully because this option allows
other system administrators to override the settings made at higher levels.
Force Policy Inheritance
The
Enforced option
(sometimes referred as
No Override
)
can be placed on a parent object, and it ensures that all lower-level objects inherit these
settings. In some cases, system administrators want to ensure that Group Policy inheritance
is not blocked at other levels. For example, suppose it is corporate policy that all network
accounts are locked out after five incorrect password attempts. In this case, you would not
want lower-level system administrators to override the option with other settings.
System administrators generally use this option when they want to enforce a specific
setting globally. For example, if a password expiration policy should apply to all users and
computers within a domain, a GPO with the
Force Policy Inheritance
option enabled could
be created at the domain level.
You must consider one final case: If a conflict exists between the computer and user
settings, the user settings take effect. If, for instance, a system administrator applies a
default desktop setting for the Computer policy and a different default desktop setting for
the User policy, the one they specify in the User policy takes effect. This is because the
user settings are more specific, and they allow system administrators to make changes for
individual users regardless of the computer they're using.
Planning a Group Policy Strategy
Through the use of Group Policy settings, system administrators can control many different
aspects of their network environment. As you'll see throughout this chapter, system admin-
istrators can use GPOs to configure user settings and computer configurations. Windows
Server 2012 R2 includes many different administrative tools for performing these tasks.
However, it's important to keep in mind that, as with many aspects of using Active
Directory, a successful Group Policy strategy involves planning.
Because there are thousands of possible Group Policy settings and many different
ways to implement them, you should start by determining the business and technical
needs of your organization. For example, you should first group your users based on their
work functions. You might find, for example, that users in remote branch offices require
particular network configuration options. In that case, you might implement Group Policy
settings best at the site level. In another instance, you might find that certain departments
have varying requirements for disk quota settings. In this case, it would probably make the
most sense to apply GPOs to the appropriate department OUs within the domain.
The overall goal should be to reduce complexity (for example, by reducing the overall
number of GPOs and GPO links) while still meeting the needs of your users. By taking into
Search WWH ::
Custom Search