|
microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late!
|
|
|
|
|
Posted by Mary M on September 13, 2006, 8:31 am
Please log in for more thread options
If you set group policies on a computer using GPEDIT and then add the
computer to a DOMAIN which also has Group Policies (Group Policy Mgnt
Console) which will be in effect? Will it combine both? Which has priority?
Many thanks in advance.
|
|
Posted by Steven L Umbach on September 13, 2006, 9:15 pm
Please log in for more thread options
Group Policies are applied in this order and the last applied policy takes
precedence if there are the same settings defined in another Group Policy.
show/hide quoted text
Local>site>domain>OU>child OU. If you have defined settings locally and they
are not defined in any domain/OU Group Policy then the local setting will
apply. For XP Pro you can simply run rsop.msc on the domain computer to see
what Group Policy settings apply to the computer and user and the GPO that
is applying the setting.
Steve
show/hide quoted text
> If you set group policies on a computer using GPEDIT and then add the
> computer to a DOMAIN which also has Group Policies (Group Policy Mgnt
> Console) which will be in effect? Will it combine both? Which has
> priority?
> Many thanks in advance.
>
|
|
Posted by Mary M on September 14, 2006, 10:41 am
Please log in for more thread options Thanks for the reply,
show/hide quoted text
> If you have defined settings locally and they are not defined in any
> domain/OU Group Policy then the local setting will apply."
What happens if there are some in both local and domain.OU?
For example: Local GPEDIT sets Autoplay off. Domain/OU policy sets desktop
clean up off. Will both settings be in effect or just the local policy?
Many thanks again..
show/hide quoted text
> Group Policies are applied in this order and the last applied policy takes
> precedence if there are the same settings defined in another Group Policy.
> Local>site>domain>OU>child OU. If you have defined settings locally and
> they are not defined in any domain/OU Group Policy then the local setting
> will apply. For XP Pro you can simply run rsop.msc on the domain computer
> to see what Group Policy settings apply to the computer and user and the
> GPO that is applying the setting.
> Steve
>> If you set group policies on a computer using GPEDIT and then add the
>> computer to a DOMAIN which also has Group Policies (Group Policy Mgnt
>> Console) which will be in effect? Will it combine both? Which has
>> priority?
>> Many thanks in advance.
>
|
|
Posted by Roger Abell [MVP] on September 14, 2006, 11:26 am
Please log in for more thread options Hi Mary,
There are two situations that can arise, and keep in mind that
each policy setting is handled individually.
Either a particular policy is set in only one place, or it is set in
more than one (ex. local policy and some GPO)
In the first case, whatever gets set in only one place will have
effect. In the second case, the last processed will be the one
used for application. Since local policy is always processed
first, what is set there will only apply if set nowhere else.
Local policy is always the looser.
Lets say local policy sets three policy settings.
One is set nowhere else, and so it is applied.
One is set also in a GPO linked to the domain, and what is
set in the domain linked GPO differs from the setting in the
local policy (ex. one says on, the other says off). In this case,
since domain linked GPOs are processed after local policy
the setting for this policy from the domain linked GPO will
overwrite what had been seen when the local policy was
processed.
The last case, where local policy and two GPOs set different
values for the same policy setting, again local looses as it will
be overwritten when processing the AD based GPOs. Which
GPO carries the setting the wins is determined by the order of
application for AD based GPOs, i.e. Site, Domain, OU, subOU.
After these have all been processed there is one resulting set of
policy settings that get applied.
Hopefully you can generalize from here to any scenario, the
local policy and then the AD based GPOs being read in order
and stored (writing on top of each other if the same policy setting
is set) into a temp list of policies that are used. Then after all
these have been read, the result is applied.
Now, there are a couple of things that can alter this.
AD based GPOs can be marked as Enforced (previously No
Override). In this case the accumulation of the resulting policies
does not process this enforced GPO in the
Site, Domain, OU, subOU ... order, but rather, after that
accumulation completes, and Enforced GPOs are processed
into the accumulation in reverse order SubOU, Ou, Domain
so that the highest GPO in the infrastructure hierarchy that has
been marked Enforced will be guaranteed that what is set in
it will not be ignored/overwritten by later processed (in forward
order) GPOs. Local policy cannot be Enforced - it ALWAYS
looses.
The other way the processing can be modified is that a container
to which GPOs can be linked can be marked to Block Inheritance.
When this happens, GPOs linked higher in the infrastructure
hierarchy (earlier in the forward processing order) are not processed.
An example would be an OU marked to block policy inheritance.
In that example, any GPOs linked to a parent OU or the domain
would not get applied to objects in the blocking OU.
Roger
show/hide quoted text
> Thanks for the reply,
>> If you have defined settings locally and they are not defined in any
>> domain/OU Group Policy then the local setting will apply."
> What happens if there are some in both local and domain.OU?
> For example: Local GPEDIT sets Autoplay off. Domain/OU policy sets desktop
> clean up off. Will both settings be in effect or just the local policy?
> Many thanks again..
>> Group Policies are applied in this order and the last applied policy
>> takes precedence if there are the same settings defined in another Group
>> Policy. Local>site>domain>OU>child OU. If you have defined settings
>> locally and they are not defined in any domain/OU Group Policy then the
>> local setting will apply. For XP Pro you can simply run rsop.msc on the
>> domain computer to see what Group Policy settings apply to the computer
>> and user and the GPO that is applying the setting.
>> Steve
>>> If you set group policies on a computer using GPEDIT and then add the
>>> computer to a DOMAIN which also has Group Policies (Group Policy Mgnt
>>> Console) which will be in effect? Will it combine both? Which has
>>> priority?
>>> Many thanks in advance.
>
|
|
Posted by Mary M on September 14, 2006, 11:26 am
Please log in for more thread options Wow, Thank you very much!
show/hide quoted text
> Hi Mary,
> There are two situations that can arise, and keep in mind that
> each policy setting is handled individually.
> Either a particular policy is set in only one place, or it is set in
> more than one (ex. local policy and some GPO)
> In the first case, whatever gets set in only one place will have
> effect. In the second case, the last processed will be the one
> used for application. Since local policy is always processed
> first, what is set there will only apply if set nowhere else.
> Local policy is always the looser.
> Lets say local policy sets three policy settings.
> One is set nowhere else, and so it is applied.
> One is set also in a GPO linked to the domain, and what is
> set in the domain linked GPO differs from the setting in the
> local policy (ex. one says on, the other says off). In this case,
> since domain linked GPOs are processed after local policy
> the setting for this policy from the domain linked GPO will
> overwrite what had been seen when the local policy was
> processed.
> The last case, where local policy and two GPOs set different
> values for the same policy setting, again local looses as it will
> be overwritten when processing the AD based GPOs. Which
> GPO carries the setting the wins is determined by the order of
> application for AD based GPOs, i.e. Site, Domain, OU, subOU.
> After these have all been processed there is one resulting set of
> policy settings that get applied.
> Hopefully you can generalize from here to any scenario, the
> local policy and then the AD based GPOs being read in order
> and stored (writing on top of each other if the same policy setting
> is set) into a temp list of policies that are used. Then after all
> these have been read, the result is applied.
> Now, there are a couple of things that can alter this.
> AD based GPOs can be marked as Enforced (previously No
> Override). In this case the accumulation of the resulting policies
> does not process this enforced GPO in the
> Site, Domain, OU, subOU ... order, but rather, after that
> accumulation completes, and Enforced GPOs are processed
> into the accumulation in reverse order SubOU, Ou, Domain
> so that the highest GPO in the infrastructure hierarchy that has
> been marked Enforced will be guaranteed that what is set in
> it will not be ignored/overwritten by later processed (in forward
> order) GPOs. Local policy cannot be Enforced - it ALWAYS
> looses.
> The other way the processing can be modified is that a container
> to which GPOs can be linked can be marked to Block Inheritance.
> When this happens, GPOs linked higher in the infrastructure
> hierarchy (earlier in the forward processing order) are not processed.
> An example would be an OU marked to block policy inheritance.
> In that example, any GPOs linked to a parent OU or the domain
> would not get applied to objects in the blocking OU.
> Roger
>> Thanks for the reply,
>>> If you have defined settings locally and they are not defined in any
>>> domain/OU Group Policy then the local setting will apply."
>> What happens if there are some in both local and domain.OU?
>> For example: Local GPEDIT sets Autoplay off. Domain/OU policy sets
>> desktop clean up off. Will both settings be in effect or just the local
>> policy?
>> Many thanks again..
>>> Group Policies are applied in this order and the last applied policy
>>> takes precedence if there are the same settings defined in another Group
>>> Policy. Local>site>domain>OU>child OU. If you have defined settings
>>> locally and they are not defined in any domain/OU Group Policy then the
>>> local setting will apply. For XP Pro you can simply run rsop.msc on the
>>> domain computer to see what Group Policy settings apply to the computer
>>> and user and the GPO that is applying the setting.
>>> Steve
>>>> If you set group policies on a computer using GPEDIT and then add the
>>>> computer to a DOMAIN which also has Group Policies (Group Policy Mgnt
>>>> Console) which will be in effect? Will it combine both? Which has
>>>> priority?
>>>> Many thanks in advance.
>
|
| Similar Threads | Posted | | 2003 Group Policies?? | April 19, 2006, 3:34 pm |
| 2003 Group Policies | April 24, 2006, 11:55 am |
| Group Policies reset | September 18, 2008, 7:10 am |
| Windows Vista Group Policies in a Server 2003 SP1 Domain environment | May 11, 2007, 9:21 am |
| Why doesn't Group Policy work if I put a local group in the affected OU instead of the actual user account? | January 27, 2009, 2:05 pm |
| Windows 2008 Standard : make a group a member of a group not possible ? | September 25, 2009, 10:47 am |
| local group / global group permissions problem | August 18, 2005, 12:42 pm |
| policies | September 12, 2005, 9:16 am |
| RAS and VPN policies - help | March 15, 2007, 10:10 am |
| GPO policies - some get used, some don't | November 24, 2008, 4:05 pm |
|
|
XML Sitemap