I guess it boils down to: the child object wins (gets it's
gpo setting applied if conflicting with a gpo in a OU
higher up) unless there is NO OVERIDE or filtering (no
READ and APPLY GPO for the child). There is also BLOCK
POLICY INHERITANCE which does as it states UNLESS there is
NO OVERIDE which overrules BLOCK POLICY.
If a higher policy hides something on the desktop, for
example, and the child hides something else, then the user
has both things hidden. If the higher GPO hides, and the
lower GPO SHOWS that same object, in the absence of NO
OVERIDE the item will be SHOWN.
It can get complicated, with multiple GPO's at the same
level being applied; the ones shown higher in the list
have higher priority and overide those lower in the list.
Then child OU's apply and "undo" what was done in higher
GPO's and there can be multiple GPO's there as well. Of
course, security issues (password policies, for example)
are applied at the domain level only (the domain is a
security bounary).
There is nothing like setting up a lab, creating users and
groups and DOING this stuff. I spent alot of time on this
and still learn new things every day about AD. And yes,
_my_ brain did explode!
Lois
MCSA, MCSE
>-----Original Message-----
>Group policies are applied in this order: local, site,
>domain, OU (LSDO). OK.
>In AD Users and Computers, the heirarchy looks on the
>screen like the domain is always root, then other 'child'
>objects like OUs. OK
>
>The question: does the GPO for a domain inherit OU
>settings or does an OU GPO inherit domain GPO settings?
>
>If the OU inherits GPO from the domain, but the OU
setting
>is applied last - there good issue for my brain to
explode
>trying to work out how to apply GPO settings.
>
>
>
>
>.
>
|
Similar Threads
