IT Admin Basics: Understanding Group Policy Design
Windows 10, and the additional abilities that come with it, provides additional policy capabilities enabled to allow IT administrators further manageability of his client deployment. Designing group policies for said organization can become complex if not planned accordingly. Chaos can rein should improper setup of Group Policies be pushed from group policies to workstations. Proper Group Policy design is key.
Microsoft provides tools/features to help address Group Policy Object(GPO) design, testing and troubleshooting. The following are details on a few that are offered.
It is known that a GPO setup on the higher level in a GPO structure automatically applies to the lower level in the same model. As an example, the “Default Domain Policy” by default in the highest level in structure. So any changes implemented on that, which is not recommended, also applies to lower level in hierarchy.
In following screenshot, as you can see the default domain policy is automatically inherited to “Test OU”.
The inheritance can be disable though. Simply right click on the OU which we need to block the inheritance and click Block Inheritance.
Once completed, the default domain policy is no longer visible from which it was inherited.
The enforced policy option is the exact opposite of the Block Inheritance as policies can be enforced to apply on lower levels of the same hierarchy. For example let’s assume we have two polices called Policy A and Policy B in height level in hierarchy. In lower level in hierarchy some OU are blocked policy inheritance so these 2 policies by default will not apply to those two. However, Policy A is still required to be enforced for everyone in organization no matter what. So by enforcing the policy we can even push it to the OUs even its use block inheritance.
To enforce a policy, right click on the policy you needs to enforce and click on Enforced.
Be sure to take notice that the Test OU inherits the policy even if the block inheritance option is enabled.
Group policies can be applied based on user objects and/or computer objects in Active Directory. Sometimes only policies based on computer objects need to be considered. As an example, in a library or public lab where many users may uses the same computers, policies would be applied to the computer objects to address the management requirements of that device.
To enable this, from within group policy management, start to edit the policy you like to configure with loopback processing. Under Computer Configuration\Policies\Administrative Templates\System\Group Policies\ double click on the option Configure user Group Policy loopback processing mode.
There are 2 modes that can be enabled.
Replace – This will not consider about user polices at all. It will only apply the computer GPO.
Merge – in this mode it will consider both user and computer polices. But if there is any conflict it always uses the computer policies