Group Policy

Group Policy processing and precendence.

Local group policy object – Each computer has exactly one group policy that is stored locally. This
processes for both computer and user group policy processing.
IF Mutiple GPO’s at same level then which one will process first – “Link Order”.

Exceptions to the default order of processing settings.

The default order for processing settings is subject to the following exceptions.

A GPO link may be enforced or disabled, or both. By default a GPO link is neither enforced or disabled.

A GPO may have its user settings disabled, its computer setting disabled, or all settings disabled. By
default neither user settings nor computer settings are disabled in a GPO.

An organizational unit or a domain may have block inheritance set. By default block interifance is not
set.
Enforcing a GPO Link

You can specify that the settings in a GPO link should take precedence over the settings of any child
objects by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent
container. Without enforcement from above, the settings of the GPO link at the higher level (parent)
are overwritten by settings in GPO s link to the child organizational units. If the GPO’s contain conflicting
setting with the enforcement, the parent GPO link always has precedence. By default, gpo links are not
enforced.

Lock sign mean Enforced

If we apply enforce tick on both ou it will take primary as default domain policy.

Blocking Group policy inheritance

You can block policy inheritance for a domain or organizational unit. Using block inheritance prevent gpo
linked to higher sites, domains, or organizational units. From being automatically inherited by the child-
level. By default, children inherit all GPO’s from the parent, but it is sometimes useful to block
inherticance. For eg. It you want to apply a single set of polcies to a entire domain except for one
organizational unit. You can link that required GPO’s at the domain level (from which all organizational
units inherit polices by default) and then block inheritance only on the organizational unit to which the
policies should not be applied.

mean block inheritance will not apply any policy from up side.

If you have set the Enforce option at domain level and block inheritance at OU level.which policy will
take effect.

If you have set both then Enforce wins over the block inheritance . so enforced will take effect.
Filtering a GPO

This features allow further granularity in the way that GPOs are applied in your environment. Even
when a GPO is linked within a part of your directory (say an OU) you may not want that GPO to apply to
every object within that container. You can control this by assigning permission for who can process
your GPO is known as filtering.

Group policy Result.

Rsop.msc

Command line.

Gpresult/z

Gpresult /scope user /v

Gp result /scope computer /v

Group Policy copy paste

If we copy existing policy from group policy object and make a copy of that policy it will have all setting
which it has configured previously.

Import Export GPO

When we export any Gpo from group policy and try to import to another gpo will get override.

Backup & Restore GPO

Group policy update by GUI

Software Deployment Through GPO

1. Microsoft SCCM Server

2. GPSI (Free with ADS using GPO

MSI package required

Create a Distribution point (sharefolder)_with Read Access.

Two types of software Deployment.

1. Assign – mean it will get automatically installed. For user and computer
2. Publish - will see on control panel to installation. For user only
 Two types of policies in a GPO.

1. Computer polciies apply on computer account within OU

2. User policies apply on user account within OU

Note: No admin rights required to users for published software installation.