Application of Group Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can link GPOs to sites, domains, and OUs to implement Group Policy settings as broadly or as narrowly in the organization as necessary. Keep in mind how Group Policy is applied when you determine the scope of application of Group Policy objects:

  • The policy settings in Group Policy objects are inherited, cumulative, and apply to all users and computers in an Active Directory container.

  • Group Policy objects are processed in the following order: local GPO, site, domain, and OU.

  • By default, Group Policy inheritance is evaluated starting with the Active Directory container farthest from the computer or user object. The Active Directory container closest to the computer or user overrides Group Policy set in a higher-level Active Directory container unless you set the No Override option for that GPO.

  • If you link more than one GPO to an Active Directory container, the GPO processing order (priority) is as follows: the GPO highest in the Group Policy Object Links list, displayed in the Group Policy page of the Active Directory container’s Properties page, has precedence by default. If you set the No Override option in one or more of the GPOs, the highest GPO that is set to No Override takes precedence.

For information about creating an Active Directory structure see "Designing the Active Directory Logical Structure" in Designing and Deploying Directory and Security Services of this kit.

For more information about defining the scope of application of Group Policy, see "Designing a Group Policy Infrastructure" in this book.