[gptalk] Re: Default Gpo overides everything?

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 8 Aug 2008 07:34:18 +1000

Hi Asaf,


What I suspect you have done is attach your main Policy at the domain level
and your administrator's policy at a lower OU. Because Group Policy
processing inherits Policies from the lower levels, the administrators will
get both sets of policies, i.e. those linked to their OU, plus those linked
at the domain level. 


The exact behavior is quite complex, but normally any settings applied at
the child OU will override the settings at the domain level. Therefore if
you activate the policy at the domain level and then deactivate it at the
Administrator OU level, you will get the desired behavior.


You can also enable Blocking at the Administrator OU level which will stop
them getting Polices from the Domain level.


However if you activate No Override on the domain level policy, this will
turn it in to a "Super Policy" that no one can beat. It will ignore Blocking
and will be the last to be applied and so no one can override it.


You can also apply security filtering to say that some people do not get the


What you should do is split your Corporate wide policy in to two parts. The
first part should be the part that everyone gets and is not to be changed
even for administrators. Connect that at the domain level and mark it as No
Override. The second half are "optional Policies" and would also apply at
the domain level. To cater for your administrators, you can use security
filtering (put the administrators in the deny apply list), you can use
Blocking so that the Administrators OU does not receive the policy, or you
can have another policy for the administrators that resets it to the desired




Alan Cuthbertson



 Policy Management Software (Now with ADMX and Preference support):-



ADM Template Editor(Now with ADMX support):-



Policy Log Reporter(Free)






From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Asaf Efrati
Sent: Friday, 8 August 2008 1:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Gpo overides everything?


Hello everyone,


I have another troubling issue with my Gpo, I have set the "default Group
policy" to deny certain options (or enable them) 

which I think is fit for the whole company, my problem is that it seems my
administrator group who has another separate Gpo assigned 

To them is effected by this default gpo, mainly it's the default
Administrator account and not let's say John (who is also part of the
administrator group), for now I just re-enabled the policy I denied.


For my general knowledge without direct relation to the my question

Can I set the gpo priority or order in which it is applied?


Thank you,


Asaf Efrati | IT & Security | eToro

A 32 Habarzel St. Tel Aviv 69710, Israel

M +972 545671587

F +9723 7686712

W www.eToro.com 


If you have received this email message in error, please notify the sender
immediately by telephone or return email and refrain from taking any action
relating to the content of the email. 

Thereafter, please destroy the original message without making a copy. You
may not use the content of the email without first obtaining prior written
consent from the sender. 

You may not forward this email to anyone other than the sender for
notification purposes. 



JPEG image

Other related posts: