Enforcing GPOs

On the heels of a discussion about inherency blocking, why don't we spin things around and discuss an option that overrides that blocking. Boy, this almost sounds like we are working in an environment where the administrators are fighting for control.

While blocked inheritance is associated with an OU-level mentality, blocking the ability for GPOs to filter down into or beyond particular OUs, the option for enforcing GPOs is flagged to the GPO link itself. It is a fairly simple setting; if you have a GPO that you want to enforce to be processed, even blowing through the borders of inherency blocking, this is the ticket.

To enforce a GPO link, all you need to do is right-click on the link and choose Enforced, as seen in the following screenshot. Here, I am enforcing my Set Desktop Wallpaper to Blue 1 that is linked to the root of the domain. This means that this policy will apply to all machines in the domain, even those machines that reside inside the IT Department OU, which has inherency blocking enabled.

You can see there is also a visual indicator inside GPMC for an enforced GPO. A little lock icon shows up on top of the GPO link graphic:

Remember, setting a GPO to be enforced does not mean that it will be applied everywhere in your environment, unless your link is way up high in the domain structure. Even with enforcement enabled, the GPO still regulates itself to only applying to the places where it is linked and filtered. The key difference between an enforced GPO and a non-enforced GPO is that enforced GPOs will blow through the Blocked Inheritance setting and apply themselves to that OU anyway.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.224.32