General GP Concepts
.. GPMC
.. Create/Edit GPOs
.. Targeting GPOs
.. Applying GPOs
.. Developer Issues
Extensions
.. Admin Templates
.... Windows Firewall
.... Internet Explorer
.. Security Policy
.. Software Installation
.. IE Maintenance
.. Scripts
Policy Exceptions
.. Loopback
.. Enforce/Block
.. Slow Links
.. WMI Filters
Reference
.. Third Party Products
.. KB Articles
.. Community
GPO Exceptions: Enforce and Block Inheritence |
This page describes the use of the Enforce and Block Inheritance features available when managing GPO precedence.
Enforced: This was previously referred to in Win2K as "No Override". The Enforced flag is set on a GPO link using the GPMC. Essentially what is does is say, "If there are any conflicting policy settings on downstream GPOs (GPOs processed after the enforced GPO), those settings will always be overridden". Essentially how this works is that any GPO links that are marked as Enforced, will be moved to the bottom of the Group Policy processing list. This ensures that the enforced policy is always processed last, and thus "wins" over any downstream GPOs. Enforced GPOs will override Block Inheritance (described next).
Block Inheritance: The block inheritance flag is set on a container object--specifically either an OU or a domain. The purpose of Block Inheritance is to block upstream GPOs from being processed (except for GPOs set with the Enforced flag). For example, if I have two OUs--Marketing and East, and East is a child OU to Marketing, I can set the Block Inheritance flag on the East OU and any GPOs linked to Marketing will be blocked--and won't apply to users and computers in the East OU.
Last Modified 1/12/05 7:53 PM