Home > Archive > 70-217 > January 2004 > LSDO? Or Am I Tripping?





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author LSDO? Or Am I Tripping?
Blubells

2004-01-26, 4:43 pm

Ok, heres the deal. I ALWAYS thought that Group Policy was applied Bottom Up, Local - Site - Domain -OU.

But thinking about it , why is the OU further up the hierarchy than the domain? Or is this a control thing?
jeff_j_black

2004-01-26, 5:53 pm

There are items that can only be set in Domain Policy, such as password and account policies. Domain policy can be set to 'no-override' as well which will overcome 'block policy inheritance' set on an OU. So the OU policy does not get the 'final say' just the 'last word'.

Think of the kind of things you might want to apply at the various levels. OU provide the most granular targets for things such as software intallation, desktop configurations etc. So it makes sense. It is less a matter of power struggle than it is a matter of applying the most granular settings closer to the end user.
aznluvsmc

2004-01-27, 4:21 pm

The order that GPOs are applied is Local - Site - Domain - OU. Within each level there can be more than one GPO specified. When more than one GPO is specified within a level, the GPOs are applied from bottom to top.

For example, if I have 3 GPOs defined at the OU level like this:

GPO A
GPO B
GPO C

Then the GPOs are applied in the order of C - B - A within that OU.

If the GPOs were defined like this:

GPO B
GPO A
GPO C

The the GPOs are applied in the order of C - A - B.

Hope that cleared things up.
Blubells

2004-01-28, 4:06 am

Thanks guys

I seem to be struggling more with situations where there is a conflict between GPO's .

For example

GPO A Is applied to Blubells.com which restricts use of the control panel

GPO B Is applied to the Glasgow Site which enables Control Panel

GPO C Is Applied to Sales.BluBells.com which is in the Glasgow site, which enables access only to the display applet in control panel

Whats the effective policy?

Farked if I know

Presented this question I would have said that

Domain Users would not have access to control panel

Glasgow Site : No Access To Control Panel

Sales OU : Access only to display

Is my reasoning correct?
aznluvsmc

2004-01-28, 9:59 am

In this case:

The site would have access to the Control Panel.

The Blubell.com domain would have the restriction applied to them.

Sales.Blubell.com can the display Control Panel.

I'm assuming the Blubell.com domain is part of the Glasgow site.
jeff_j_black

2004-01-28, 11:03 am

Seems reasonable enough...

Remember that Domain and OU objects are logical AD components and Sites are physical AD components. For the most part I have heard it is best not to use sites for applying GPO, maybe to specify Internet Proxy and other site related settings. But Sites can contain more than one Domain and can give you issues concerning where the GPO actually resides.
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net