Questions

How does inheritance and precedance work in Group Policy?

Tags:
+
0 Votes
Locked

How does inheritance and precedance work in Group Policy?

Kid Chameleon
I have a policy at the root of my domain called Default Domain Policy that doesn't limit USB and in a child OU I have a separate policy applied to disable USB storage devices for specific workstations.

The Default Domain Policy gets inherited by the same OU that has the policy applied to disable USB on specific workstations.

This technet article says, "If multiple GPOs attempt to set a setting to conflicting values, the GPO with the highest precedence sets the setting."(http://technet.microsoft.com/en-us/library/cc757050(WS.10).aspx?ppud=4)

According to the article the Default Domain Policy will have a higher precedence, so does that mean that the Disable USB Policy will be ignored since its settings conflict with the Default Domain Policy?

This is a Windows 2003 domain with Windows XP workstations.
  • +
    0 Votes
    NetMan1958

    Have you run gpresult on one of the target workstations to see if the GPO that disables the USB devices is getting applied?

    +
    0 Votes
    Kid Chameleon

    Thanks, I hadn't tried that. I checked a workstation just now and it shows that both policies are being applied. I'll check the registry settings for more specifics to see which takes precedence.

    +
    0 Votes
    NetMan1958

    The Technet article you referred to in your original post is an excellent reference. Did you read this part:
    "You can view the precedence order of GPOs for a given site, domain or organizational unit by navigating to the Group Policy Inheritance tab for any site, domain, or organizational unit. Note that when looking on the Group Policy Inheritance tab for a domain or organizational unit, GPOs linked to sites are not shown. This is the specific site that a computer is in is not known ahead of time. Also, when viewing a site, the only difference between the Group Policy Inheritance tab and the Linked Group Policy Objects tab is that the former takes into account the enforcement (described below) attribute." ?

    Take a look at the Group Policy Inheritance tab for the OU those computers are in and see if the Default Domain Policy is set to "enforced".

    +
    0 Votes
    Kid Chameleon

    I checked the inheritince tab and that definitely helps. The higher up in the tree the more precedence the policy has, so the Default Domain Policy has first precedence.

    I ended up creating two different OU's, one for enabled USB and one for disabled USB. This way there aren't any issues with conflicting policy settings and precedence.

    Thanks for the help NetMan!

    +
    0 Votes
    Mike Barron

    If the USB setting in the default domain policy is set to "not configured", it will have no effect on the OU policy.

  • +
    0 Votes
    NetMan1958

    Have you run gpresult on one of the target workstations to see if the GPO that disables the USB devices is getting applied?

    +
    0 Votes
    Kid Chameleon

    Thanks, I hadn't tried that. I checked a workstation just now and it shows that both policies are being applied. I'll check the registry settings for more specifics to see which takes precedence.

    +
    0 Votes
    NetMan1958

    The Technet article you referred to in your original post is an excellent reference. Did you read this part:
    "You can view the precedence order of GPOs for a given site, domain or organizational unit by navigating to the Group Policy Inheritance tab for any site, domain, or organizational unit. Note that when looking on the Group Policy Inheritance tab for a domain or organizational unit, GPOs linked to sites are not shown. This is the specific site that a computer is in is not known ahead of time. Also, when viewing a site, the only difference between the Group Policy Inheritance tab and the Linked Group Policy Objects tab is that the former takes into account the enforcement (described below) attribute." ?

    Take a look at the Group Policy Inheritance tab for the OU those computers are in and see if the Default Domain Policy is set to "enforced".

    +
    0 Votes
    Kid Chameleon

    I checked the inheritince tab and that definitely helps. The higher up in the tree the more precedence the policy has, so the Default Domain Policy has first precedence.

    I ended up creating two different OU's, one for enabled USB and one for disabled USB. This way there aren't any issues with conflicting policy settings and precedence.

    Thanks for the help NetMan!

    +
    0 Votes
    Mike Barron

    If the USB setting in the default domain policy is set to "not configured", it will have no effect on the OU policy.