3.1. Order of Inheritance
As a rule, Group Policy settings are passed from parent
containers down to child containers. This means that a policy that
is applied to a parent container applies to all the
containers—including users and computers—that are below the parent
container in the Active Directory tree hierarchy. However, if you
specifically assign a Group Policy for a child container that
contradicts the parent container policy, the child container’s
policy overrides the parent Group Policy.
If policies are not contradictory, both can be implemented.
For example, if a parent container policy calls for an application
shortcut to be on a user’s desktop and the child container policy
calls for another application shortcut, both appear. Policy settings
that are disabled are inherited as disabled. Policy settings that
are not configured in the parent container remain
unconfigured.
3.1.1. Overriding Inheritance
Several options are available for changing how inheritance
is processed. One option, called enforcing a GPO link, prevents child containers from
overriding any policy setting set in a higher level GPO. This
option is not set by default on all GPOs.
3.1.2. Enforcing a GPO Link in the GPMC
To enforce a link, open the Group Policy Management Console,
right-click the Group Policy object link in the console tree, and
select Enforced, as shown in Figure 4.
A second option is Block Inheritance. When you select this option, the
child container does not inherit any policies from parent
containers. In the event of a conflict between these two options,
the Enforced option always takes precedence. Simply stated,
Enforced is a link property, Block Inheritance is a container property, and Enforced
takes precedence over Block Inheritance.
3.1.3. Setting Block Inheritance
To enable Block Inheritance, open the Group Policy Management Console and right-click the
domain or organizational unit (OU) for which you want to block
inheritance. Select Block Inheritance, as shown in Figure 5.
3.2. Order of Implementation
Group policies are processed in the following order:
GPOs linked to the site in the order specified by the
administrator
Domain GPOs, as specified by the administrator
OU GPOs, from largest to smallest OU (parent to child
OU)
The GPO with the lowest link order is processed last, and
therefore has the highest precedence. If multiple GPOs attempt
contradictory settings, the GPO with highest precedence
wins.
Exceptions to this order are GPOs with enforced or disabled
links, GPOs with disabled user or computer settings, and OUs (or the
whole domain) set to block inheritance. To see the order of precedence for GPOs for a domain or OU, open
the Group Policy Management Console and, in the console tree, select
the domain name or the OU. In the details pane, click the Group
Policy Inheritance tab, as shown in Figure 6.
