In the IU Active Directory, how are group policy conflicts handled?
In the Indiana University Active Directory, group policy can be inherited, so it is possible to create multiple group policies with conflicting settings. You need to understand this before attempting to resolve or troubleshoot group policy conflicts. For more information, see In Active Directory, how is group policy inherited and processed?
The highest parent container possible is the site. This is followed by the domain, then each organizational unit (OU) inside of the domain. Each of these OUs can have sub-OUs, an OU inside of an OU. The relationship between all of these objects is thought of as a parent and child relationship. The parent is the place where the object was created, and can be a site, domain, OU, or sub-OU. The child is the object that was created inside of the parent and can be a domain, OU, or sub-OU. Group policy settings are applied as follows:
- If the parent container has a setting configured, and the child
container is not configured, the parent container group policy
setting applies.
- If the parent container and child container both have a setting
configured, and they are compatible, both parent and child container
group policy settings apply.
- If the parent container and the child container both have a setting configured, but they are not compatible, the child container setting applies.
You can modify this default behavior by using the No Override or Block Inheritance options, but UITS discourages the use of these options because of the level of complexity they introduce.
Last modified on April 06, 2009.
