Information Technology Reference
In-Depth Information
Because OUs can be nested, so can the GPOs applied to them. When possible, your OU
structure should be designed so that policies defined in GPOs linked to the top-level OU apply
to all objects in that OU. GPOs applied to nested OUs should be used for exceptions to policies
set at the higher level OU or when certain computers or users require more restrictive policies.
For example, all full-time employees in the Engineering Department need complete access to
Control Panel, but part-time employees should be restricted from using it. You can configure a
policy allowing Control Panel access in a GPO linked to the Engineering OU. Then you create
an OU under the Engineering OU that contains part-time employees' accounts and link a GPO
to it that restricts use of Control Panel.
By default, GPO inheritance is enabled and settings linked to a parent object are applied to all
child objects. Therefore, settings in a GPO linked to the domain object are inherited by all OUs
and their child objects in the domain. Settings in a GPO linked to the site are inherited by all
objects in that site. To see where policies are inherited from, select a container in the left pane of
GPMC and click the Group Policy Inheritance tab in the right pane. There are several ways to
affect GPO inheritance:
• Blocking inheritance
• Enforcing inheritance
• GPO filtering
• Loopback policy processing
7
Blocking GPO Inheritance
Although the default inheritance behavior is suitable for most
situations, as with NTFS permission inheritance, sometimes you need an exception to the
default. One method is blocking GPO inheritance, which prevents GPOs linked to parent con-
tainers from affecting child containers. To block GPO inheritance, in GPMC, right-click the child
domain or OU and click Block Inheritance. You can block inheritance on a domain or an OU.
On a domain object, this setting blocks GPO inheritance from a site, and on an OU, it blocks
inheritance from parent OUs (if any), the domain, and the site. If inheritance blocking is enabled,
the OU or domain object is displayed with a blue exclamation point. Inheritance blocking should
be used sparingly; if you find that you need to block GPO inheritance frequently, it's an indica-
tion that your OU design is probably flawed and should be reexamined.
What happens if you have a nested OU and want to block GPO inheritance from its parent
OU, but you still want domain- and site-linked GPOs to apply? This is where GPO enforcement
comes in.
Enforcing GPO Inheritance
When GPO inheritance is enforced by setting the Enforced
option, the GPO's settings are applied to all child objects, even if a GPO with conflicting settings
is linked to a container at a deeper level. In other words, a GPO that's enforced has the strongest
precedence of all GPOs in its scope. If multiple GPOs are enforced, the GPO that's highest in the
Active Directory hierarchy has the strongest precedence. For example, if a GPO linked to an OU
and a GPO linked to a domain are both set to be enforced, the GPO linked to the domain has
stronger precedence.
Take a look at some examples of how blocking and enforcing GPO inheritance affect the appli-
cation of policies. Table 7-2 is similar to Table 7-1, except the Advertising OU has the Block
Inheritance option set. Figure 7-12 shows the relevant part of the Active Directory structure in GPMC.
Table 7-2
GPO inheritance and precedence: Example 2
GPO
Linked to
Policy
Setting
Default Domain Policy
Domain
Lock the Taskbar
Disabled
StMenuMktGPO
Marketing OU
Lock the Taskbar
Enabled
StMenuAdvGPO
Advertising OU (
Block Inheritance
)
Lock the Taskbar
Not configured
Search WWH ::
Custom Search