The August 2010 Challenge

Group Policy Wrestling Matches. That's my phrase for what happens when administrators set conflicting policies at various levels of their domains. How much do you know about the way Group Policy Objects (GPOs) work as they travel through the levels of your domain?

Question 1
You set a GPO at the domain level, then set a conflicting (reversed) GPO at the organizational unit (OU) level. For the computers in the OU, which GPO wins?

Question 2
You set a GPO at the domain level, then set a conflicting (reversed) GPO in a local computer's policy settings. For that computer, which GPO wins?

 

The Answers

Question 1: The OU-level GPO wins, because as you move down the Active Directory (AD) hierarchy, the GPO that's closest to the computer always wins. This is a good way to give a specific group the policies they need for their particular tasks when those tasks (and attendant policies) differ from most of the other OUs.

Question 2: The domain-level GPO wins. When the domain or any part of a domain (such as an OU) and a local computer are wrestling over group policies, the computer always loses. Computers in a domain are powerless when it comes to GPOs—they're pinned to the mat as soon as the match starts.

 

August 2010 Reader Challenge Winner

Congratulations to Thomas Sin of Ontario, the winner of our August 2010 Reader Challenge. He wins a copy of Windows 7: The Definitive Guide from O'Reilly Media (http://www.ora.com/).