Blocked and Enforced Inheritance

Group policy consists a set of policies that are applied for the computers. These are applied on the basis of computer wide configuration and user wide configuration. Group policies are applied in some specific order.

What about the hierarchy of applying group policy settings?

  • Local group policy (configured in the local computer)
  • Site level group policy
  • Domain level group policy
  • OU (Organizational Unit) level group policy

In case of group policies linked at the domain level, the group policies are applied with the help of group policy link order.  Suppose if 2 group policies are linked at the domain level with link order 1 and 2, then link order 2 group policy will be in effect for the first time and group policy with link order 1 will overwrite the 2nd group policy.

In general high priority group policies must be first ordered (link order with low values) and then followed by the low priority policies. So that while applying the group policy to a computer, high priority policies will overwrite the low priority ones. That is why local group policy is applied first.

Now, what are blocked inheritance and enforced inheritance?

Blocked inheritance, blocks a specific domain level group policy being applied. If an OU is set to blocked inheritance then this blocking is applied to all the levels before OU, that is it is applied to site level, domain level and then OU level. This prevents all the previously configured settings being applied.

Enforced inheritance, allows some settings or group policies to get applied even if the policies are blocked. These are configured per group policy basis whereas the Blocked inheritance is configured per OU level.

Confused?? Lets see how it works in actual scenario:

Let us consider the group policies set as shown below in their hierarchical order:

Group policies

Now suppose the Second OU is blocked by the administrator, automatically both the Domain and OU level group policy will be set as blocked, as shown in figure. But Child OU is not affected with this. This is the case of Blocked Inheritance.

Blocked

Now let us consider the case of domain level policy, been set as Enforced as shown below:

Enforced Scenario1

Then the Domain level policy is moved to the back of Child OU so that Blocked Inheritance will not be affected in case of Domain level policy.

Enforced Scenario2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s