Information Technology Reference
In-Depth Information
Figure 7-12
Relevant Active Directory structure
In Table 7-2, users in the Advertising OU aren't affected by GPOs linked to the Marketing
OU or the domain because inheritance is blocked. The Lock the Taskbar policy isn't configured
on the Advertising OU, so settings in local GPOs apply. If the policy isn't set in local GPOs, the
setting remains unchanged from its current state (whatever that might be). Table 7-3 uses the
same example, but with the Enforced option set on the Default Domain Policy.
Table 7-3
GPO inheritance and precedence: Example 3
GPO
Linked to
Policy
Setting
Default Domain Policy (
Enforced
)
Domain
Lock the Taskbar
Disabled
StMenuMktGPO
Marketing OU
Lock the Taskbar
Enabled
StMenuAdvGPO
Advertising OU (
Block Inheritance
)
Lock the Taskbar
Not configured
With the configuration shown in Table 7-3, the Lock the Taskbar policy is disabled for all
users in the domain because the Enforced option set on the Default Domain Policy takes prece-
dence over all other settings, including the Block Inheritance option on the Advertising OU. The
next example in Table 7-4 illustrates the effect of the Enforced option set on two GPOs.
Table 7-4
GPO inheritance and precedence: Example 4
GPO
Linked to
Policy
Setting
Default Domain Policy (
Enforced
)
Domain
Lock the Taskbar
Disabled
StMenuMktGPO (
Enforced
)
Marketing OU
Lock the Taskbar
Enabled
StMenuAdvGPO
Advertising OU
Lock the Taskbar
Not configured
When two GPOs have the Enforced option set, the GPO linked to the container highest in
the Active Directory hierarchy takes precedence. Therefore, as in the previous example, the Lock
the Taskbar policy is disabled for all users in the domain.
Remember that the Block Inheritance option is set on an OU or domain,
and the Enforced option is set on a GPO.
Search WWH ::
Custom Search