What policies are applied first.

[Jordan]

I have a domain MYDOMAIN and I created a OU container called SalesPCs. In
the SalesPCs I created a OU container called LAPTOPS.

1. What order will the policies be applied if I put GPs at MYDOMAIN,
SALESPCS, and LAPTOPS?

2. If I have "No Override" checked for the first policy that is applied, is
this for just the configured options or will all options revert to "Not
configured". For instance I have just a proxy server configured on one of
the first policy and the last policy has my proxy option "Not Configured"
will it erase my proxy settings applied earlier.

 

[Steve Athanas]

Hi, Jordan:

In your setup it's pretty straightforward, because you haven't
introduced "block inheritance."

1.The policies will be applied in the order L-S-D-OU, or
Local-Site-Domain-Organizational Unit which means that local policies
are processed first, but can be over ridden by policies placed on the
site, which can be overridden by policies placed at the domain, which
are trumped by policies on respective OUs.

So in your scenario, policies will be applied MYDOMAIN, then SALESPCS,
and then LAPTOPS, which policies at the laptop OU overriding any
conflifts from the other two GPOs. Cool?

2. No override will only replace where there is a setting defined. If a
specific policy setting is not configured, you won't see the "not
configured" propagate down the tree.

I'm a bit unclear on what you're trying to do with the proxy example,
but provided it's set up such that the proxy server is configured in a
policy applied after (and therefore at a lower level of the tree) a
policy that doesn't have that setting enabled, but is enforced, you will
still get the setting, because the enforced policy does not have that
setting enabled, and thus the "no override" is ingored.

I hope that sheds some light on it. If you have any questions, drop a line!

Take care.
_______________
Steve Athanas
MCSE:Security (2003)