70-217 - Site GPO

Author

Site GPO

mcorpuz

2002-11-15, 10:36 pm

Will GPOs applied at the site level apply to all domains in the site...even though domains represent security boundaries?

Pavlov

2002-11-16, 9:37 am

Group Policy settings are processed in the following order:

Local Group Policy object: Each Windows computer has exactly one Group Policy object that is stored locally.

Site: Any Group Policy objects that have been linked to the site are processed next. Processing is synchronous and in an order that is specified by the administrator.

Domain: Processing of multiple domain-linked Group Policy objects is synchronous and in an order specified by the administrator.

Organizational units: Group Policy objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy objects that are linked to its child organizational unit, and so on. Finally, the Group Policy objects that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy objects can be linked. If several Group Policy objects are linked to an organizational unit, their processing is synchronous and in an order that is specified by the administrator.

This order means that the local Group Policy object is processed first, and Group Policy objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy objects.

There are exceptions to this:
The default order for processing settings is subject to the following exceptions:

Any Group Policy object that is linked to a site, domain, or organizational unit (not a local Group Policy object) can be set to No Override with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. When more than one Group Policy object has been set to No Override, the one that is highest in the Active Directory hierarchy (or higher in the hierarchy that is specified by the administrator at each fixed level in Active Directory) takes precedence.

Note that No Override and Disabled are settings on Group Policy objects links, not on the Group Policy objects. A Group Policy object can be linked several times to the same organizational unit, and No Override and Disabled can be configured independently on each of the links. (Although multiple links from one Group Policy object to a single organizational unit are seldom useful, this capability illustrates the flexibility of the Group Policy infrastructure.)

At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as Block Policy inheritance. Group Policy object links that are set to No Override are always applied, however, and they cannot be blocked.

The Block Policy inheritance setting is applied directly to the site, domain, or organizational unit. It is not applied to Group Policy objects, nor is it applied to Group Policy object links. Block Policy inheritance deflects all Group Policy settings that would reach the site, domain, or organizational unit from above (by way of links to parents in the Active Directory hierarchy), no matter what Group Policy objects those settings originate from. However, Block Policy inheritance does not deflect Group Policy settings from Group Policy objects that are linked directly to the site, domain, or organizational unit that has Block Policy inheritance enabled.

Loopback: This is an advanced Group Policy setting that is useful on computers in certain closely managed environments, such as kiosks, laboratories, classrooms, and reception areas. For a description of loopback, click the Explain tab after you double-click User Group Policy loopback processing mode in the details pane of the Microsoft Management Console (MMC).

<whew> Hope this helped

dwatts

2002-11-16, 10:06 am

To answer your question - YES. However, the object only exists in the domain in which it was created- so the template files only exist on DC's in that domain.

cm2gj

2002-11-16, 3:03 pm

quote:
Originally posted by dwatts
To answer your question - YES. However, the object only exists in the domain in which it was created- so the template files only exist on DC's in that domain.

what do you mean?

dwatts

2002-11-16, 5:25 pm

You know what - I'll let you figure it out yourself. if you do not know what I mean, then you might not yet quite understand how Group Policy works.

Look up these acronyms:

GPC and GPT.

If you REALLY want me to explain - ask again. Not trying to be a git, but I think you're better of doing a tad of research.

CLUE: Remember - GPO definitions (I wonder if there is another name for this term?

) are stored in the DOMAIN partition of AD. In the context of this question, why would that be inmportant?

cm2gj

2002-11-16, 8:11 pm

quote:
Originally posted by dwatts
You know what - I'll let you figure it out yourself. if you do not know what I mean, then you might not yet quite understand how Group Policy works.

Look up these acronyms:

GPC and GPT.

If you REALLY want me to explain - ask again. Not trying to be a git, but I think you're better of doing a tad of research.

CLUE: Remember - GPO definitions (I wonder if there is another name for this term? ) are stored in the DOMAIN partition of AD. In the context of this question, why would that be inmportant?

are you crazy?
i´m only asking what do you mean, i don´t understand your point. and i know what GPO is, i work with GPO since 1999.

dwatts

2002-11-16, 8:31 pm

Yes, I am crazy.

However, if you know what a GPC and GPT is - then I fail to understand how you could not have understood my statement.

--Shrug--

Usually, when you get a GPO, you have to pull the GPT. You get this from a DC in your domain. In the case of a site that covers multiple domains, then only SOME of the DC's in that site with have the GPT. So, a DC that is affected by the policy - that is NOT a member of the domain in which the GPO was created - has to contact a DC from the originating domain each time - in order to grab the GPT. This is certainly non-optimal.

Hence my statement "the object only exists in the domain in which it was created- so the template files only exist on DC's in that domain."

Using GPO's and understanding how they work under the covers, are two entirely different things. If you understand GPC's and GPT's then I would have considered my point to have been self-evident. As a study guide for anyone else reading this thread - if you want to know how they work, look up GPT's and GPC's. The acronym "GPO" is a misnomer, it is a term used to encompass a high-level view of a feature of Window 2k. It says nothing about the architecture of the technology - and how it is implemented before saying what is and what is nor targetable.

jvazquez

2002-11-19, 4:25 pm

quote:
Originally posted by dwatts
Yes, I am crazy.

However, if you know what a GPC and GPT is - then I fail to understand how you could not have understood my statement.

i don´t get your statement either.
and yes, you are crazy, no doubt... this forum is for helping people...notfor offending...

Tech Ranger

2002-11-19, 8:50 pm

dwatts, your comments here are inappropriate. I will assume that you are in a bad mood. We are all here supposedly to help each other. cm2gj sought your help, and you attacked him. I just don't get it.

Slinky

2002-11-19, 11:16 pm

You won't be seeing him much anymore, since he thinks Deja-vue's QoDs are spam. Which is really too bad, because he was probably the most knowlegable person regarding Active Directory that I've seen here so far.

cm2gj

2002-11-19, 11:48 pm

quote:
Originally posted by Tech Ranger
dwatts, your comments here are inappropriate. I will assume that you are in a bad mood. We are all here supposedly to help each other. cm2gj sought your help, and you attacked him. I just don't get it.

sorry. i just only get a poor english.

Sponsored Links