Using Group Policy Inheritance
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
It is often useful to define a corporate-standard GPO. As used here, corporate standard refers to policy settings that apply to a broad set of users in an organization. An example of where defining a corporate standard GPO might be appropriate is a business requirement that states: "Only specially authorized users can access the command prompt or the registry editor." Group Policy inheritance can help you apply these corporate standards while customizing settings for different groups of users.
One way to do this is to set the policy settings Prevent access to the command prompt, and Prevent access to registry editing tools in a GPO, such as the Standard User Policy GPO that is linked to an OU, such as the User Accounts OU. By default this will apply these settings to all users in that OU. Then create a GPO, such as an Administrator User Policy GPO, which explicitly allows administrators access to the command prompt and registry editing tools. Link the GPO to the Administrators OU, which overrides the settings configured in the Standard User Policy GPO. This approach is illustrated in Figure 2.7.
Figure 2.7 Standard User Policy GPO
If another group of users requires access to the command prompt, but not the registry, you can create another GPO that allows them to do so. Access to the registry editing tools is still denied because the new GPO does not override the registry tools setting made in the Standard User Policy GPO. Typically, a corporate standard GPO includes more settings and configuration options than those shown in the preceding illustration. For example, corporate standard Group Policy objects are typically used to achieve the following:
Remove all potentially harmful and nonessential functionality for users.
Define access permissions, security settings, and file system and registry permissions for member servers and workstations.
Typically, GPOs are assigned to the OU structure instead of the domain or site. If you structure your OU model around users, workstations, and servers, it is easier to identify and configure corporate standard settings. You can also disable either the user or computer portions of policy that do not apply, making Group Policy easier to manage.
When you set default values for security-related settings such as restricted group membership, file system access permissions, and registry access permissions, it is important to understand that these settings work on a last-writer-wins principle, and that the settings are not merged. The following example demonstrates this principle.
Example: Last-Writer-Wins Principle
An administrator creates a Default Workstations GPO that defines the membership of the local Power Users group as the Technical Support and Help Desk groups. The Business Banking group wants to add the Business Banking Support group to this list and creates a new Default Workstations GPO to do so. Unless the new GPO specifies that allthree groups are members of Power Users, only the Business Banking Support group has Power User rights on affected workstations.