Linking GPOs to Active Directory Containers

A GPO can be associated (linked) to one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be linked to the same GPO, and a single container can have more than one GPO linked to it. If multiple GPOs are linked to one container, you can prioritize the order in which GPOs are applied.

Linking GPOs to Active Directory containers enables an administrator to implement Group Policy settings for a broad or narrow portion of the organization, as required.

The following list contains example applications of policy:

  • A GPO linked to a site applies to all users and computers in the site.
  • A GPO applied to a domain applies to all users and computers in the domain and, by inheritance, to all users and computers in child organizational units. Be aware that policy is not inherited across domains.
  • A GPO applied to an organizational unit applies directly to all users and computers in the organizational unit and, by inheritance, to all users and computers in child organizational units.

A GPO is stored on a per domain basis, but you can also link a site, domain, or organizational unit to a GPO in another trusted domain. This is not recommended as it can negatively impact performance.

The following illustration shows the Group Policy model of linking sites, domains, and organizational units to multiple GPOs.

group policy model

To create a site, an administrator can use the Active Directory Sites and Services MMC snap-in. To link a GPO to a site, domain, or to an organizational unit, administrators can use the Group Policy Management Console snap-in.