GPO Inheritance and Precedence Overview
In this article we will discuss GPO Inheritance and Precedence which is an essential concept to understand while configuring a policy. A policy setting can be configured in more than one GPO (Group Policy Object), and GPOs can be in conflict the one another. For example, a policy setting can be enabled in one GPO, disabled in another GPO, and not configured in a third GPO. In this case, the precedence of the GPOs determines which policy setting the client applies. A GPO with higher precedence prevails over a GPO with lower precedence. Precedence is shown as a number in the GPMC. The smaller the number—that is, the closer to 1—the higher the precedence, so a GPO with a precedence of 1 prevails over other GPOs. Select the domain or OU, and then click the Group Policy Inheritance tab to view the precedence of each GPO.
When a policy setting is enabled or disabled in a GPO with higher precedence, the configured setting takes effect. However, remember that policy settings are set to Not Configured by default. If a policy setting is not configured in a GPO with higher precedence, the policy setting (either enabled or disabled) in a GPO with lower precedence will take effect.
A site, domain, or OU can have more than one GPO linked to it. The link order of GPOs determines the precedence of GPOs in such a scenario. GPOs with higher-link order take precedence over GPOs with lower-link order. When you select an OU in the GPMC, the Linked Group Policy Objects tab shows the link order of GPOs linked to that OU.
The default behavior of Group Policy is that GPOs linked to a higher-level container are inherited by lower-level containers. When a computer starts up or a user logs on, the Group Policy Client examines the location of the computer or user object in Active Directory and evaluates the GPOs with scopes that include the computer or user. Then the client-side extensions apply policy settings from these GPOs. Policies are applied sequentially, beginning with the policies linked to the site, followed by those linked to the domain, followed by those linked to OUs—from the top-level OU down to the OU in which the user or computer object exists. It is a layered application of settings: A GPO that is applied later in the process, because it has higher precedence, overrides settings applied earlier in the process. This default order of applying GPOs is illustrated in Figure 1.
Be certain to memorize the default domain policy processing order: site, domain, OU. Remember that domain policy settings are applied after—and therefore take precedence over—settings in local GPOs.
This sequential application of GPOs creates an effect called policy inheritance. Policies are inherited, so the resultant set of group policies for a user or computer is the cumulative effect of site, domain, and OU policies.
By default, inherited GPOs have lower precedence than GPOs linked directly to the
container. For example, you might configure a policy setting to disable the use of registryediting tools for all users in the domain by configuring the policy setting in a GPO linked to the domain. That GPO and its policy setting are inherited by all users within the domain. However, you probably want administrators to be able to use registry-editing tools, so in this example you should link a GPO to the OU that contains administrators’ accounts and configure the policy setting to allow the use of registry-editing tools. Because the GPO linked to the administrators’ OU takes higher precedence than the inherited GPO, administrators can use registry-editing tools. Figure 6-9 shows this example.
Figure 6-9 The Group Policy inheritance tab
A policy setting that restricts registry-editing tools is defined in the CONTOSO
Standards GPO, linked to the contoso.com domain. In the Corporate Policy Overrides For Administrators GPO, a policy setting specifically allows the use of registry-editing tools. The administrator’s GPO is linked to the Admins OU. When you select an OU such as the Admins OU, the details pane of the GPMC displays a Group Policy Inheritance tab that reveals GPO precedence for that OU. You can see that the Corporate Policy Overrides For Administrators GPO has precedence. Any setting in that GPO that is in conflict with a setting in CONTOSO Standards is applied from the administrators GPO. Therefore, users in the Admins OU can use registry-editing tools, although users elsewhere in the domain cannot. As you can see from this simple example, the default order of precedence ensures that the policy that is closest to the user or computer prevails.
Precedence of Multiple Linked GPOs
An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs’ link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.
Figure 6-10 GPO link order
The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO.
To change the precedence of a GPO link:
1. Select the OU, site, or domain in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO.
A domain or OU can be configured to prevent the inheritance of policy settings. To block inheritance, right-click the domain or OU in the GPME and choose Block Inheritance.
The Block Inheritance option is a property of a domain or OU, so it blocks all Group
Policy settings from GPOs linked to parents in the Group Policy hierarchy. When you block inheritance on an OU, for example, GPO application begins with any GPOs linked directly to that OU—GPOs linked to higher-level OUs, the domain, or the site do not apply.
The Block Inheritance option should be used sparingly, if ever. Blocking inheritance makes it more difficult to evaluate Group Policy precedence and inheritance. In the #section entitled, “Using Security Filtering to Modify GPO Scope,” you #learn how to scope a GPO so that it applies to only a subset of objects or so that it is prevented from applying to a subset of objects. With security group filtering, you can carefully scope a GPO so that it applies to only the correct users and computers, making it unnecessary to use the Block Inheritance option.
Enforcing a GPO Link
A GPO link can be set to Enforced. To enforce a GPO link, right-click the GPO link in the
console tree, and then select the Enforced option on the context menu shown in Figure 6-7.
When a GPO link is set to Enforced, the GPO takes the highest level of precedence; policy settings in that GPO prevail over any conflicting policy settings in other GPOs. In addition, a link that is enforced applies to child containers even when those containers are set to Block Inheritance. The Enforced option causes the policy to apply to all objects within its scope. Enforced causes policies to override any conflicting policies and applies regardless of whether a Block Inheritance option is set.
In Figure 4, Block Inheritance has been applied to the Clients OU. As a result, GPO 1, which is applied to the site, is blocked and does not apply to the Clients OU. However, GPO 2, linked to the domain with the Enforced option, does apply. In fact, it is applied last in the processing order, meaning that its settings override those of GPOs 6 and 7.
When you configure a GPO that defines configuration mandated by your corporate IT security and usage policies, you want to ensure that those settings are not overridden by other GPOs. You can do this by enforcing the link of the GPO. Figure 5 shows just this scenario. Configuration mandated by corporate policies is deployed in the CONTOSO Corporate IT Security & Usage GPO, which is linked with an enforced link to the contoso.com domain. The icon for the GPO link has a padlock—the visual indicator of an enforced link. On the People OU, the Group Policy Inheritance tab shows that the GPO takes precedence even over the GPOs linked to the People OU itself.
To facilitate evaluation of GPO precedence, you can simply select an OU (or domain) and click the Group Policy Inheritance tab. This tab displays the resulting precedence of GPOs, accounting for GPO link, link order, inheritance blocking, and link enforcement. This tab does not account for policies that are linked to a site, nor does it account for GPO security or WMI filtering.
Although it is recommended that you use the Block Inheritance and Enforced options sparingly in your Group Policy infrastructure, the 70-640 exam will expect you to understand the effect of both options.