Active Directory 2008 : Managing Group Policy Scope (part 1) - GPO Links, GPO Inheritance and Precedence

A GPO can be linked to one or more Active Directory sites, domains, or OUs. After a policy is linked to a site, domain, or OU, the users or computers and users in that container are within the scope of the GPO, including computers and users in child OUs.

You can choose the same commands to link a GPO to a site, but by default, your Active Directory sites are not visible in the GPME. To show sites in the GPMC, right-click Sites in the GPMC console tree and choose Show Sites.

Site-Linked GPOs and Domain Controller Placement

A GPO linked to a site affects all computers in the site without regard to the domain to which the computers belong (as long as all computers belong to the same Active Directory forest). Therefore, when you link a GPO to a site, that GPO can be applied to multiple domains within a forest. Site-linked GPOs are stored on domain controllers in the domain in which the GPO was created. Therefore, domain controllers for that domain must be accessible for site-linked GPOs to be applied correctly. If you implement site-linked policies, you must consider policy application when planning your network infrastructure. Either place a domain controller from the GPO’s domain in the site to which the policy is linked or ensure that wide area network (WAN) connectivity provides accessibility to a domain controller in the GPO’s domain.

When you link a GPO to a site, domain, or OU, you define the initial scope of the GPO. Select a GPO and click the Scope tab to identify the containers to which the GPO is linked. In the details pane of the GPMC, the GPO links are displayed in the first section of the Scope tab, as shown in Figure 1.

Figure 1. A GPO’s links displayed on the Scope tab of the GPMC

The impact of the GPO’s links is that the Group Policy Client downloads the GPO if either the computer or the user objects fall within the scope of the link. The GPO is downloaded only if it is new or updated. The Group Policy Client caches the GPO to make policy refresh more efficient.

Linking a GPO to Multiple OUs

You can link a GPO to more than one site, domain, or OU. It is common, for example, to apply configuration to computers in several OUs. You can define the configuration in a single GPO and link that GPO to each OU. If you later change settings in the GPO, your changes apply to all OUs to which the GPO is linked.

Deleting or Disabling a GPO Link

After you have linked a GPO, the GPO link appears in the GPMC under the site, domain, or OU. The icon for the GPO link has a small shortcut arrow. When you right-click the GPO link, a context menu appears, as shown in Figure 2.

Figure 2. The context menu of a GPO link

To delete a GPO link, right-click the GPO link in the GPMC console tree and then click Delete. Deleting a GPO link does not delete the GPO itself, which remains in the Group Policy Objects container. Deleting the link does change the scope of the GPO so that it no longer applies to computers and users within a site, domain, or OU to which it was previously linked.

You can also modify a GPO link by disabling it. To disable a GPO link, right-click the GPO link in the GPMC console tree and clear the Link Enabled option. Disabling the link also changes the scope of the GPO so that it no longer applies to computers and users within that container. However, the link remains so that it can be easily re-enabled.

A policy setting can be configured in more than one GPO, and GPOs can be in conflict with one another. For example, a policy setting can be enabled in one GPO, disabled in another GPO, and not configured in a third GPO. In this case, the precedence of the GPOs determines which policy setting the client applies. A GPO with higher precedence prevails over a GPO with lower precedence. Precedence is shown as a number in the GPMC. The smaller the number—that is, the closer to 1—the higher the precedence, so a GPO with a precedence of 1 prevails over other GPOs. Select the domain or OU, and then click the Group Policy Inheritance tab to view the precedence of each GPO.

When a policy setting is enabled or disabled in a GPO with higher precedence, the configured setting takes effect. However, remember that policy settings are set to Not Configured by default. If a policy setting is not configured in a GPO with higher precedence, the policy setting (either enabled or disabled) in a GPO with lower precedence will take effect.

A site, domain, or OU can have more than one GPO linked to it. The link order of GPOs determines the precedence of GPOs in such a scenario. GPOs with higher-link order take precedence over GPOs with lower-link order. When you select an OU in the GPMC, the Linked Group Policy Objects tab shows the link order of GPOs linked to that OU.

The default behavior of Group Policy is that GPOs linked to a higher-level container are inherited by lower-level containers. When a computer starts up or a user logs on, the Group Policy Client examines the location of the computer or user object in Active Directory and evaluates the GPOs with scopes that include the computer or user. Then the client-side extensions apply policy settings from these GPOs. Policies are applied sequentially, beginning with the policies linked to the site, followed by those linked to the domain, followed by those linked to OUs—from the top-level OU down to the OU in which the user or computer object exists. It is a layered application of settings: A GPO that is applied later in the process, because it has higher precedence, overrides settings applied earlier in the process. This default order of applying GPOs is illustrated in Figure 3.

Figure 3. Default processing of site, domain, and OU GPOs

This sequential application of GPOs creates an effect called policy inheritance. Policies are inherited, so the resultant set of group policies for a user or computer is the cumulative effect of site, domain, and OU policies.

By default, inherited GPOs have lower precedence than GPOs linked directly to the container. For example, you might configure a policy setting to disable the use of registry-editing tools for all users in the domain by configuring the policy setting in a GPO linked to the domain. That GPO and its policy setting are inherited by all users within the domain. However, you probably want administrators to be able to use registry-editing tools, so in this example you should link a GPO to the OU that contains administrators’ accounts and configure the policy setting to allow the use of registry-editing tools. Because the GPO linked to the administrators’ OU takes higher precedence than the inherited GPO, administrators can use registry-editing tools. Figure 4 shows this example.

Figure 4. The Group Policy inheritance tab

A policy setting that restricts registry-editing tools is defined in the CONTOSO Standards GPO, linked to the contoso.com domain. In the Corporate Policy Overrides For Administrators GPO, a policy setting specifically allows the use of registry-editing tools. The administrator’s GPO is linked to the Admins OU. When you select an OU such as the Admins OU, the details pane of the GPMC displays a Group Policy Inheritance tab that reveals GPO precedence for that OU. You can see that the Corporate Policy Overrides For Administrators GPO has precedence. Any setting in that GPO that is in conflict with a setting in CONTOSO Standards is applied from the administrators GPO. Therefore, users in the Admins OU can use registry-editing tools, although users elsewhere in the domain cannot. As you can see from this simple example, the default order of precedence ensures that the policy that is closest to the user or computer prevails.

Precedence of Multiple Linked GPOs

An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs’ link order determines their precedence. In Figure 5, two GPOs are linked to the People OU.

Figure 5. GPO link order

The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO.

To change the precedence of a GPO link:

1. Select the OU, site, or domain in the GPMC console tree.

2. Click the Linked Group Policy Objects tab in the details pane.

3. Select the GPO.

4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO.

A GPO link can be set to Enforced. To enforce a GPO link, right-click the GPO link in the console tree, and then select the Enforced option on the context menu shown in Figure 2.

When a GPO link is set to Enforced, the GPO takes the highest level of precedence; policy settings in that GPO prevail over any conflicting policy settings in other GPOs. In addition, a link that is enforced applies to child containers even when those containers are set to Block Inheritance. The Enforced option causes the policy to apply to all objects within its scope. Enforced causes policies to override any conflicting policies and applies regardless of whether a Block Inheritance option is set.

In Figure 6, Block Inheritance has been applied to the Clients OU. As a result, GPO 1, which is applied to the site, is blocked and does not apply to the Clients OU. However, GPO 2, linked to the domain with the Enforced option, does apply. In fact, it is applied last in the processing order, meaning that its settings override those of GPOs 6 and 7.

Figure 6. Policy processing with Block Inheritance and Enforced options

When you configure a GPO that defines configuration mandated by your corporate IT security and usage policies, you want to ensure that those settings are not overridden by other GPOs. You can do this by enforcing the link of the GPO. Figure 7 shows just this scenario. Configuration mandated by corporate policies is deployed in the CONTOSO Corporate IT Security & Usage GPO, which is linked with an enforced link to the contoso.com domain. The icon for the GPO link has a padlock—the visual indicator of an enforced link. On the People OU, the Group Policy Inheritance tab shows that the GPO takes precedence even over the GPOs linked to the People OU itself.

Figure 7. The precedence of the GPO with an enforced link