No Override

[Kyle]

Can someone please explain the No Override option in a
GPO. Does this only override settings that are
enabled/set?

For example, suppose I have an OU level GPO that
specifies that the user can not right click and a domain
level GPO that specifies the home page of IE. If I apply
the No Override setting to the domain level GPO, will the
user be allowed to right click?

Thanks for you time.

 

[Derek Melber [MVP]]

Kyle,

The No Override option is designed to "force" a GPO and its settings down
through the GPO processing path. So, let me change your scenario a bit to
get the point across.

Ex 1. If you have a GPO at the domain level that says to remove the Run
command and one at the OU level that says add the RUn command, you will have
the run command. This is due to the order of GPO application and precendence
of LSDOU. OU applies last and has precedence.

Ex 2. You have a GPO at the domain level that says to remove the Run command
and one at the OU level that says add the Run command. Now, you also set the
domain level GPO to NO Override. You will NOT have the Run command. This is
because the GPO higher in the precendence says to force this GPO settings,
where there is a conflict.

Ex 3. You have a GPO at the domain level that says to remove the Run command
and one at the OU level that says add the Run command. Now, you also set the
domain level GPO to NO Override. And, you set the GPO at the OU level to
Block Policy Inheritance. In this case, you will NOT have the Run command.
This is because Block Policy INheritance has no use against a GPO that is
set to NO Override.

Ex 4. If you have a GPO at the domain level that says to remove the Run
command and one at the OU level that says remove the Help command. Now, you
also set the domain level GPO to NO Override. You will NOT have either the
Run or Help commands. Here, there is no conflict, so both GPOs will append
to one another and both settings apply.

Hope this helps.