Group Policy
Inheritance
GPOs can be linked at the
site, domain, and multiple OU levels. When an Active Directory
infrastructure contains GPOs linked at the domain level, as an example,
every container and OU beneath the domain root container inherits any
linked policies. As a default example, the “Domain Controllers” OU
inherits the default domain policy from the domain.
GPO inheritance allows
administrators to set a common base policy across an Active Directory
infrastructure while allowing other administrators to apply more
granular policies at a lower level that apply to subsets of users or
computers. As an example of this, a GPO can be created and linked at the
domain level that restricts all users from running Windows Update,
while an OU representing a branch office in the domain can have a GPO
linked that enables the branch office desktop administrators security
group to run Windows Update.
GPO links inherited from
parent containers are processed before GPO links at the container
itself, and the last applied policy setting value is the resulting
value, if multiple GPOs have the same configured setting with different
values. This Group Policy inheritance is also known as GPO precedence
and is shown in Figure 3.
Group Policy Block
Inheritance
Just as GPOs can be
inherited, Active Directory also provides the option to block
inheritance, as shown in Figure 4, of all GPOs from parent containers. This is actually
an option applied to an Active Directory domain or organizational unit
within the Group Policy Management Console and not on a GPO. This option
can be useful if the container contains users and/or computer objects
that are very security sensitive or business critical. As an example of
this option in use, an OU can be created to contain the Remote Desktop
Services host systems, which would not function correctly if
domain-level GPOs were applied. The OU can be configured to block
inheritance to ensure that only the policies linked to the particular OU
were applied. If GPOs need to be applied to this container, links would
need to be created at that particular container level, or the GPO link
from the parent container would need to be enforced, which would
override the block inheritance setting.
Group Policy Order of
Processing
GPOs can be linked at many
different levels and in many Active Directory infrastructures; multiple
GPOs are linked at the same OU or domain level. This is a very common
practice because this particular configuration follows a GPO
best-practice recommendation, of creating separate GPOs for a particular set of functions. As
GPOs are processed one at a time, the GPO links are processed in a
particular order starting with GPOs inherited from parent containers
followed by the order of policies that were linked to that container.
The resulting impact of this processing order is that when multiple GPOs contain the same
configured setting, the last GPO applied provides the resulting setting
value. As an example of this, if two GPOs are linked at the domain
level, named GPO1 and GPO2, and GPO1 has a configured setting of “Remove
Task Manager” set to disabled and GPO2 has the same setting set to
enabled, the end result is enabled for that setting. To fully understand
what the end resulting policy will be in a container that has multiple
GPOs linked and inherited, the Resultant Set of Policy tool should be
run in Planning mode from the Active Directory Users and Computers
console or Group Policy Modeling can be run from the GPMC console.
Resultant Set of Policies will provide a console showing the final
applied policy settings. Group Policy Modeling will go further and
provide a report detailing which policies were applied, in which order
the policies were applied, and the resulting policy settings. One easy way to understand this is
to know that when looking at a particular Active Directory container in
GPMC, the group policy link order and the group policy precedence order
are processed from the highest number down. This means that the group
policy that has a link order of 1 will always be processed last by
objects within that container.
