How do I know what
are the settings in a GPO?
Prior to the use of GPMC,
an administrator who wanted to find out
which one of the hundreds of settings of
a GPO were actually configured - had to
open each GPO and manually comb through
each and every node of the GPO sections.
Now, with GPMC, you can simply see what
the configurations of any GPO are if you
point on that GPO and go to the Settings
tab. There you can use the drop-down
menus to see computer or user settings.
Block/Enforce
inheritance
You can block policy
inheritance to an OU if you don’t want
the settings from upper GPOs to
configure your OU.
To block GPO inheritance,
simply right click your OU and choose
"Block Inheritance". Blocking
inheritance will block all upper GPOs.
In case you need one of
the upper GPOs to configure all
downstream OUs and overcome Block
inheritance, use the Enforce option of a
link. Enforcing a GPO is a powerful
option and rarely should be used.
You can see in this
example that when you look at Computers
OU, three different GPOs are inherited
to it.
In this example you can
see that choosing "Block inheritance"
will reject all upper GPOs.
Now, if we configure the
"Default domain policy" with the Enforce
option, it will overcome the inheritance
blocking.
Link order
When linking more than
one GPO to an OU, there could be a
problem when two or more GPOs have the
same settings but with opposite
configuration, like, GPO1 have Allow
printer installation among other
settings but GPO2 is configured to
prevent printer installation among other
settings. Because the two GPOs are at
the same level, there is a link order
which can be changed.
The GPO with the lowest
link order is processed last, and
therefore has the highest precedence.
|
