How does the Group Policy 'No Override' and 'Block Inheritance' work ?

Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP's for each level. Obviously it may be that some policy settings conflict hence the application order of Site - Domain - Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance).

A good definition of each is as follows:

No Override - This prevents child containers from overriding policies set at higher levels

Block Inheritance - Stops containers inheriting policies from parent containers

No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied.

Also the highest No Override takes precedence over lower No Override's set.

To block inheritance perform the following:

  1. Start the Active Directory Users and Computer snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. Right click on the container you wish to stop inheriting settings from its parent and select 
  3. Select the 'Group Policy' tab
  4. Check the 'Block Policy inheritance' option
  5. Click Apply then OK

To set a policy to never be overridden perform the following:

  1. Start the Active Directory Users and Computer snap-in (Start - - Administrative Tools - Active Directory Users and Computers)
  2. Right click on the container you wish to set a Group Policy to not be overridden and select Properties
  3. Select the 'Group Policy' tab
  4. Click Options
  5. Check the 'No Override' option                  
  6. Click OK
  7. Click Apply then OK

 


Post a Comment

0 Comments