In Active Directory, how is group policy inherited and processed?
In Active Directory, group policy settings are inherited and are cumulative. Group policies are processed in the following order:
- Group policy objects (GPOs) for the site to which the computer or user account belongs
- GPOs for the domain of which the computer or user account is a member
- GPOs that are applied to organizational units (OUs), starting with the Active Directory OU farthest away from the computer or user
The resulting set of policies that a user or computer receives is the sum of all the group policies in the Active Directory hierarchy.
Note: The following information is intended for
registered local support providers (LSPs) at Indiana
University. If you are an LSP and have questions regarding the
information in this document, contact LSP Services at
lsps@iu.edu ; otherwise, contact your campus
Support Center.
For computers in the Indiana University Active Directory Services (ADS) domain, the following conditions apply:
- There is only one site for all IU computers. There are no site-level policies defined.
- There is only one domain for all IU computers. There is a domain-level group policy defined.
The OU structure at IU separates computers according to campus and department. The structure evaluates at the campus level (e.g., BL) first, and then at the department level (e.g., CHEM). This process would continue for any OUs that you've created inside of your departmental OU.
Last modified on October 27, 2009.
