Multiple GPO's on on OU
I know that the lowest GPO in the inheritance list for the OU gets the latest setting, but my question is. If I set a policy to yes and configure it at the top gpo, then at the bottom gpo I don't have those same settings, I have other settings set, do they override the top settings?
I'm asking this because I'm currently working on ntp settings for the domain. The policy will only affect those settings, so they won't have any of the other GP Policies.
I'm asking this because I'm currently working on ntp settings for the domain. The policy will only affect those settings, so they won't have any of the other GP Policies.
0 Comments
[ + ] Show comments
Answers (1)
Please log in to answer
Posted by:
Chipster
17 years ago
Policy application order is LSDOU, Local, Site, Domain, then OU.
In the case of multiple policies on an OU or at the domain level, they apply in order specified.
So say you set on the local machine a policy that removes the display tab. Then there's a Domain policy for various settings, and 5 policies that apply from the OUs. Provided that none of the other policies have the display properties configured, the original setting wins.
The default setting for all policy items is Not configured. This means that nothing happens when the poolicy is evaluated.
Let's say then that you have a policy that is applied to multiple OUs and this policy removes the run command from the start menu. Let's say that you want to allow the run command only for a specific group on one OU and leave all other policies the same in that GPO. The policy that removes it is set to Disabled. One way to do it would be to create another policy that you ENABLE the run command. then you link this new GPO to the same OU as the command that removes it. Nothing happens... Oops, policy appllication order. Once you change the application order such that the GPO that enables the run command is higher than the one that removes it, the run command returns. You could then apply that GPo only to a specific group so that not everyone is affected. But this is a more complex application than yours. :)
Bottom line is no, a policy without settings configured won't alter a policy whose settings are configured.
In the case of multiple policies on an OU or at the domain level, they apply in order specified.
So say you set on the local machine a policy that removes the display tab. Then there's a Domain policy for various settings, and 5 policies that apply from the OUs. Provided that none of the other policies have the display properties configured, the original setting wins.
The default setting for all policy items is Not configured. This means that nothing happens when the poolicy is evaluated.
Let's say then that you have a policy that is applied to multiple OUs and this policy removes the run command from the start menu. Let's say that you want to allow the run command only for a specific group on one OU and leave all other policies the same in that GPO. The policy that removes it is set to Disabled. One way to do it would be to create another policy that you ENABLE the run command. then you link this new GPO to the same OU as the command that removes it. Nothing happens... Oops, policy appllication order. Once you change the application order such that the GPO that enables the run command is higher than the one that removes it, the run command returns. You could then apply that GPo only to a specific group so that not everyone is affected. But this is a more complex application than yours. :)
Bottom line is no, a policy without settings configured won't alter a policy whose settings are configured.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.