Tuesday, April 20, 2010

Group Policy inheritance

No Override as Compared to Block Policy Inheritance


You can set No Override on a specific Group Policy object link so that Group Policy objects linked at a lower-level of Active Directory — closer to the recipient user or computer account — cannot override that policy. If you do this, Group Policy objects linked at the same level, but not as No Override , are also prevented from overriding. If you have several links set to No Override , at the same level of Active Directory, then you need to prioritize them. Links higher in the list have priority on all Configured (that is, Enabled or Disabled ) settings.

If you have linked a specific Group Policy object to a domain, and set the Group Policy object link to No Override , then the configured Group Policy settings that the Group Policy object contains apply to all organizational units under that domain. Group Policy objects linked to organizational units cannot override that domain-linked Group Policy object.

You can also block inheritance of Group Policy from above in Active Directory. This is done by checking Block Policy inheritance on the Group Policy tab of the Properties sheet of the domain or organizational unit. This option does not exist for a site.

Some important facts about No Override and Block Policy are listed below:

• No Override is set on a link, not on a site, domain, organizational unit, or Group Policy object.

• Block Policy Inheritance is set on a domain or organizational unit, and therefore applies to all Group Policy objects linked at that level or higher in Active Directory which can be overridden.

• No Override takes precedence over Block Policy Inheritance if the two are in conflict.

If you want to see what a Group Policy object is linked to, open it in the Group Policy console , right-click the root node, click Properties , and then click the Links tab. Click Find Now after setting the domain on the drop-down menu.

No comments:

Post a Comment