Policy inheritance

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Policy inheritance

In general, Group Policy is passed down from parent to child containers within a domain, which you can view by using Active Directory Users and Computers. Group Policy is not inherited from parent to child domains, for example, from wingtiptoys.com to sales.wingtiptoys.com. Active Directory Domains and Trusts, which you can use to manage relationships of this type, is not related to Group Policy.

If you assign a specific Group Policy setting to a high-level parent container, that Group Policy setting applies to all containers beneath the parent container, including the user and computer objects in each container. However, if you explicitly specify a Group Policy setting for a child container, the child container's Group Policy setting overrides the parent container's setting.

If a parent organizational unit has policy settings that are not configured, the child organizational unit does not inherit them. Policy settings that are disabled are inherited as disabled. In addition, if a policy setting is configured (enabled or disabled) for a parent organizational unit and the same policy setting is not configured for a child organizational unit, the child inherits the parent's enabled or disabled policy setting.

If a policy setting that is applied to a parent organizational unit and a policy setting that is applied to a child organizational unit are compatible, the child organizational unit inherits the parent policy setting, and the child's setting is also applied.

If a policy setting that is configured for a parent organizational unit is incompatible with the same policy setting that is configured for a child organizational unit (because the setting is enabled in one case and disabled in the other), the child does not inherit the policy setting from the parent. The policy setting in the child is applied.

Blocking inheritance

You can block policy inheritance at the domain or organizational-unit level by opening the properties dialog box for the domain or organizational unit and selecting the Block Policy inheritance check box. For more information, see Block policy inheritance.

Enforcing inheritance

You can enforce policy inheritance by setting the No Override option on a Group Policy object link.

When you select the No Override check box, you force all child policy containers to inherit the parent's policy, even if that policy conflicts with the child's policy and even if Block Inheritance has been set for the child.

You can set No Override on a Group Policy object link by opening the properties dialog box for the site, domain, or organizational unit and making sure that the No Override check box is selected. For more information, see Prevent a Group Policy object from being overridden.

Notes