GPO Inheritance

GPO Inheritance

A user or a computer in an OU can have multiple GPOs applied to it. For example, Local Group Policy, GPOs linked to the site, GPOs linked to the domain and GPOs linked to the OU. Also, multiple GPOs can be linked to any of these containers. The following is the order in which the Group Policy settings take effect.

  • Local Group Policy settings are applied first
  • GPOs linked at the site level are applied next followed by the GPOs linked at the domain level and OU level. Since GPOs linked to the OU are processed last, they have the highest precedence
  • In case of nested OUs, GPOs linked to the parent OUs are applied first followed by the GPOs linked to the child OU
  • If multiple GPOs are linked to a container, then the GPO with the lowest link order will have the highest precedence
  • To view the list of GPOs applied to a container, double-click the container and select the Group Policy Inheritance tab in the right pane. A list of GPOs with link order, location and status will be displayed

The final configuration of policy settings applied to a user or computer is a combination of all the policy settings defined in each GPO. In case of any conflicts, the policy settings configured for the GPO with a higher precedence override the GPO with lower precedence. However, this behavior can be altered using the block inheritance option.

To block inheritance and apply only the policy settings configured in GPOs linked to a particular OU, right-click the OU and select Block Inheritance. This will block all the policy settings from GPOs linked at the domain level, site level and parent OUs.

Enforcing a GPO

GPOs can be enforced so that the GPOs linked to a higher level container like domain or a parent OU takes precedence over the GPOs linked to a lower level container. To enforce a GPO, select the GPO liked to a container. Right-click that GPO and select Enforced.

GPOs that are enforced will be applied to a lower level container even when the ‘Block Inheritance’ option is enabled for that container.

Disabling a GPO

By default, both Computer Configuration and User Configuration policy settings of a GPO are enabled and applied to all users and computers present in the container in which the GPO is linked. But, situations may arise in which the GPO has to be disabled for a particular period of time. To disable a GPO, follow these steps:

  • In the left pane of the GPMC snap-in, double-click the container to see a list of GPOs linked to that container
  • Select the GPO which has to be disabled. In the right pane, select the Details Tab
  • In the GPO status drop down list, select
    • “All settings disabled” to disable the GPO
    • select “Computer Configuration Settings disabled” to disable only the policy settings configured under computer configuration
    • select “User Configuration Settings disabled” to disable only the policy settings configured under user configuration
    • Related Articles

    • How to Force USB Encryption on Removable Devices using GPO

      As data breaches become increasingly common, ensuring that sensitive data is encrypted is paramount, especially on removable USB devices. Group Policy Objects (GPO) in Windows allows administrators to enforce such security measures across a network. ...
    • Using GPO to prevent access to desktop application

      Introduction Security breaches via unauthorized application access are a growing concern for system administrators. The challenge of mitigating such vulnerabilities, while ensuring that essential applications remain accessible, is intensified by the ...
    • A deep dive into PowerShell class inheritance

      Introduction In the realm of PowerShell scripting, class inheritance is not just a theoretical concept but a practical tool for crafting advanced, maintainable, and scalable scripts. This guide dives deep into the nuances of PowerShell class ...
    • GPO Delegation

      Just like other AD objects, security principals can be assigned permissions to access a GPO. The following are the list of permissions that can be assigned: Read Edit Settings Edit Settings, Delete, Modify security The following steps illustrate how ...
    • Creating a GPO in Active Directory

      GPOs can be created and managed using the Group Policy Management Console (GPMC). The configuration settings can be edited using the Group Policy Object Editor (gpedit) console. The following steps illustrate how to create a GPO: Open the GPMC ...