Defining the Scope of Application of Group Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To define the scope of application of Group Policy objects, consider these three main questions:

• Where will your GPOs be linked?

• What security filtering on the GPOs will you use?

• What WMI filters will be applied?

Also, remember that by default, Group Policy objects are inherited, cumulative, and affect all computers and users in an Active Directory container and its children. They are processed in the following order: local GPO (LGPO), site, domain, and then OU, with the last processed overriding the earlier GPOs. The default inheritance method is to evaluate Group Policy starting with the Active Directory container farthest from the computer or user object. The Active Directory container closest to the computer or user overrides Group Policy set in a higher-level Active Directory container unless you set the Enforced (No Override) option for that GPO link or if the Block Policy inheritance setting has been applied to the domain or OU. The LGPO is processed first, so settings from GPOs linked to Active Directory containers override the local settings. For more information about LGPOs, see the Windows Security Collection in the Windows Server 2003 Technical Reference on the Web (https://go.microsoft.com/fwlink/?linkid=4571).

Another issue is that although you can link more than one GPO to an Active Directory container, you need to be aware of the processing order (priority). The GPO link with the lowest link order in the Group Policy Object Links list (displayed in the Linked Group Policy Objects tab in GPMC) has precedence by default. However, if one or more GPO links have the Enforced option set, the highest GPO link set to Enforced takes precedence.

Stated briefly, Enforced is a link property, Block Policy Inheritance is a container property, and Enforced takes precedence over Block Policy Inheritance. In addition, you can disable settings on the GPO itself in four other ways: A GPO can be disabled; and a GPO can have its computer settings disabled, its user settings disabled, or all of its settings disabled.

GPMC greatly simplifies these tasks by allowing you to view GPO inheritance across your organization and manage links from one MMC console. Figure 2.5 shows Group Policy inheritance as displayed in GPMC.

Figure 2.5   Group Policy Management Linking and Inheritance

Note

• To view full details of inheritance and precedence for GPO links to a domain, site, or OU, you must have Read permissions on the domain, site, or OU containing the GPO links as well as on the GPOs. If you have Read access to the domain, site, or OU, but not on one of the GPOs linked there, it will appear as Inaccessible GPO, and you will not be able to read the name or other information for that GPO.