In part 1, we covered scoping, filtering, and delegation. It is now time to cover more advanced problems with Group Policy.
Learn Your Group Policy Link Rules
GPOs process in a very specific order. The acronym, LSDOU, shows that Local GPOs apply first. This is followed by Site, Domain, and finally OU GPOs. In a nutshell, the GPO closest to the object applies last. If you have a GPO linked at the domain that enables Offline Files and a Junior Admin disabled Offline files at the OU level, his GPO wins. Running a GPResult on the object will show you if another GPO is overwriting your settings.
When a GPO is created, it lives in the Group Policy Objects container. When you link a GPO to an OU, you are merely creating a shortcut to that GPO. These links can be enabled or disabled very easily. In the picture below, the Configuration GPO link is disabled. Notice how the link arrow is greyed instead of black (like the Default Domain Policy).
You can quickly see if a GPO is linked or unlinked by using PowerShell.
GPOs can also be set to Enforced. An Enforced GPO appears with a lock on the link icon. A GPO upstream (one linked to a higher OU or the domain) that is enforced can cause you problems. For example, if the Default Domain Policy was enforced, every setting in it would apply to every object in the domain. It does not matter if another GPO is linked an OU and is enforced. With enforcement, the highest GPO always wins.
If both GPOs in the picture above were set to enforced, the Default Domain Policy would win over the Configuration: UE-V policy.
The final piece of trickery with Links is the Block Inheritance setting. When an OU is set to Block Inheritance, all GPOs (except those enforced) linked above that OU are ignored. In the example below, the Domain Sites OU will not process the Default Domain Policy.
If the Default Domain Policy was enforced, it would ignore the Block Inheritance setting and apply anyways. In an ideal environment, you would keep everything as simple as possible. That means using Block Inheritance and Enforcement sparingly.
Crazy Junk with Loopback
When a computer first starts up, it will process all computer side policies that are linked to the computer’s OU (and above). When a user logs on, any user side settings will process that are linked to the user’s OU (and above). This is normal Group Policy behavior.
When loopback is enabled, this process has one more additional step. After the user side items process, any user side settings linked to the computer’s OU (and above) are also applied. Although this does slow down Group Policy Processing, I still love it and find it insanely helpful! With Loopback, I can take a User Side Setting (like setting the homepage in IE) and apply it to a group of computers (such as those in a lab)!
Bear in mind that loopback now requires both the User and Computer objects to be added to the scope tab on the GPO. Before Windows Vista, the computer did not need to read permission for the GPO. If you still have questions about loopback (or want to learn how to use it), see these two guides:
- Loopback Policy: How a Computer Gets a Transgender Operation
- Questions about Loopback Policy Processing
Finally, make sure that the GPO is doing what you intend for it to do. When a setting says “Enable Turn Off Audio Mode”, it is very easy to get confused. Ready carefully over any GPO descriptions when configuring your GPO. Microsoft is a huge fan of double negatives. You can use Microsoft’s GPSearch utility for explanations on GP Settings.
Be sure to read the other articles in this series for detailed troubleshooting steps.