Re: Group Policy precedence question

From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
Date: Thu, 10 Aug 2006 11:09:26 +0100

Inline

*****I guess what I meant was can you block inheritance of the Default
Domain Policy. I'll explain: If the Default Domain Policy has a "must
change password" policy, can you block inheritance with, say, an OU
called SysAdmins and block inheritance? I always thought you could NOT
block inheritance on the Default Domain Policy, just other regulare
GPO's. I don't believe you could created a GPO than the Default Domain
Policy.***

-Account security settings are only applied from policy at the domain level.
Microsoft recommends you put these security settings in the default domain
policy. It is possible to put account security settings in multiple policies
at the domain level, and they will be processed according to normal Group
Policy Object (GPO) priority using the "last writer wins" rule.
-It is possible to define security in GPOs applied to organizational units
(OUs), but they WILL ONLY APPLY TO THE LOCAL SECURITY policy of clients
that are members of the domain. When a user logs in to the domain, he or she
will get the security settings from the DOMAIN POLICY - not the local
policy.
-The security settings that domain controllers apply to clients upon a
successful user logon are those that are stored in the DC's local
secedit.sdb security database
-The DC gets the ACCOUNT SECURITY settings from the domain policy and
applies them to its local .sdb. Note that this applies only to the account
security settings, not to any other policy setting.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"mikesic" <michaelsic@xxxxxxxxx> wrote in message
news:1155167979.042505.272870@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Thanks Jorge....see my questions below:

Jorge Silva wrote:
Hi

I'm glad that MS gave us the option of (not to expire), or else we would
be
in deep shi... with service accounts... Expiring all the time.

1) Can you override the Default Group Policy?

- What do you mean...? If you're talking about Password policy then all
you
have to do is to create a new Policy at domain level with higher than the
Default Domain Policy. If you're talking about others then as you said:
precendence is Local Policy, Site, Domain, OU, Sub-OU, so all policies
applied at OU, sub OU level override the Default Domain Policy (the
exceptions are: if you're using Loopback policy, Block Policy
inheritance,
or Enforce policy "No Override option").

*****I guess what I meant was can you block inheritance of the Default
Domain Policy. I'll explain: If the Default Domain Policy has a "must
change password" policy, can you block inheritance with, say, an OU
called SysAdmins and block inheritance? I always thought you could NOT
block inheritance on the Default Domain Policy, just other regulare
GPO's. I don't believe you could created a GPO than the Default Domain
Policy.***

Not sure what do you mean but: the enforce option "No Override" ,
overrides
the Block Policy inheritance.

***This is really a follow up to the above. If you indeed CAN block
the Default Domain Policy, than can you apply the No Override to
prevent this? I was under the impression that the Default Domain
Policy was special, and behaved differently than other GPO's in that
this is where you define password policies for the entire domain. But
where in the precedence order does putting a setting directly in the
user account properties fall??? Does this setting override everything
in AD??? ****

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

References:
- Group Policy precedence question
  - From: mikesic
- Re: Group Policy precedence question
  - From: Jorge Silva
- Re: Group Policy precedence question
  - From: mikesic

Prev by Date: Re: GPOs cannot be saved because files being used by another proce
Next by Date: Re: Obscure Computer Account Property
Previous by thread: Re: Group Policy precedence question
Next by thread: need ADAM to ignore sid history when using lsalookupsid
Index(es):
- Date
- Thread

Relevant Pages

Re: GP settings questions?
... Policy, and you want these GP only affect on specific OU object. ... SBSServers OU only contains the SBS Server and the other member Servers. ... locations are linked to this GPO, ... To Block Inheritance, for example, right-click the SBSComputers OU, ...
(microsoft.public.windows.server.sbs)
Re: GPO questions
... The Sybex book stated that using block inheritance at the OU would be like ... delt with the password policy at the domain level and the block inhertance ... >>password/account policy settings defined in Local Security Policy of the ... >>domain computers in that OU would apply to the local users on those domain ...
(microsoft.public.cert.exam.mcse)
Re: GPO questions
... Other than password/account policy for domain users block inheritance at the ... OU level will prevent Group Policy defined settings from levels in the ... >>> certainly is an important account on sensitive domain computers such as ...
(microsoft.public.cert.exam.mcse)
Re: Block inheritance ?
... Create a group in Active Directory. ... Computers OU to this new group. ... Control List and set the "Apply Group Policy" permission for the group. ... It appears to me that if one chooses to block inheritance of a GP ...
(microsoft.public.windows.group_policy)
Re: Start Windows Messenger for Net Send
... realized that it was set to block inheritance. ... BTW the GPMC shows a blue warning sign if inheritance is blocked afair. ... Windows XP picks up the new policy setting and applies it to this service. ... BTW. Windows Server 2003 shows a different behaviour. ...
(microsoft.public.windows.group_policy)