Some policies and settings are going to be things that you want to apply to all of the machines or users in the entire domain, and the appropriate place for those settings are domain-level GPOs. It's important to point out that the GPOs themselves are not different as we talk about all of these different policy levels—a GPO is a GPO. The level at which the GPO is linked is what we are talking about when we discuss these hierarchical levels. So far, we haven't discussed GPO links, and that is because we will spend a lot of time discussing links and linking when we start to cover the bases on filtering these GPO settings, in upcoming chapters. For now, we simply need to understand that some GPOs will contain settings that need to apply to everything in the domain, and these GPOs will be linked at the domain level.
In the following screenshot, the Default Domain Policy has been linked at the top level, or root, of the domain:
When you link a policy at the top of the domain, that GPO will filter down to each user account and device account that is present inside the domain to where it is linked, theoretically applying to all workstations, servers, and users. I say theoretically because there are a couple of reasons why a domain-level GPO might not actually apply to everything inside the domain. One of those reasons would be that the GPO was filtered to only apply to certain machines or groups (we will discuss this much more in chapter 4, Advanced Filtering of Group Policy Objects). Another reason is that some locations inside Active Directory may have inherency blocking enabled, which would stop GPOs from applying to any objects contained inside those locations. These locations that I am talking about are called OUs, and they are our next level of GPO processing.