Windows Server Group Policy Link Enforcement, Inheritance and Block Inheritance

Our previous article explained what Group Policy Objects (GPO) are and showed how group policies can be configured to help control computers and users within an Active Directory domain. This article takes a look at Group Policy Enforcement, Inheritance and Block Inheritance throughout our Active Directory structure. Users seeking more technical articles on Windows 2012 Server can visit our dedicated Windows 2012 Server section.

Group Policy Enforcement, Inheritance and Block Inheritance provide administrators with the necessary flexibility allowing the successful Group Policy deployment within Active Directory, especially in large organizations where multiple GPOs are applied at different levels within the Active Directory, causing some GPOs to accidently override others.

Thankfully Active Directory provides a simple way for granular control of GPOs:

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Group Policy Object Inheritance

GPOs can be linked at Site, Domain, OUs and child OUs. By default, group policy settings that are linked to parent objects are inherited to the child objects in the active directory hierarchy. By default, Default Domain Policy is linked to the domain and is inherited to all the child objects of the domain hierarchy.

GPO inheritance let’s administrators to set common set of policies to the domain level or site level and configure more specific polices at the OU level. GPOs inherited from parent objects are processed before GPOs linked to the object itself.

As shown in the figure below, the Default Doman Policy GPO with precedence 2 will be processed first, because the Default Domain Policy is applied at the domain level (firewall.local) where as the WallPaper GPO is applied at the organization unit level:

Figure 1. Group Policy Inheritance

Block Inheritance

As GPOs can be inherited by default, they can also be blocked, if required using the Block Inheritance. If the Block Inheritance setting is enabled, the inheritance of group policy setting is blocked. This setting is mostly used when the OU contains users or computers that require different settings than what is applied to the domain level.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

As shown in the figure below, to configure blocking of GPO inheritance, right-click the OU container and select the Block Inheritance option from the list:

         Figure 2. GPO Block Inheritance

Enforced (No Override)

This option prevents a GPO from being overridden by other GPO. For example, if you apply a GPO to domain and check the Enforced option, then this policy will be enforced to all the child objects in active directory and takes precedence of child GPO objects even if you have configured another similar GPO child object with a different value. In previous Windows Server versions, the GPO enforced option used to be called No Override.

To enable the GPO Enforced option, right-click on a particular GPO and click on the Enforced option:

Figure 3. Enforcing a GPO

This article explained the importance of GPO inheritance and how it can be enforced or blocked via Group Policy Enforcement, Inheritance and Block Inheritance throughout the Active Directory. For more information on Group Policies and how they are created or applied, refer to our article Configuring Windows 2012 Active Directory Group Policies or visit our Windows 2012 Server Section.