Windows Server 2003 Group Policy Inheritance

By allowing group policies in higher levels to overwrite policies in lower levels, Windows Server 2003 provides for inheritance of policies from higher layers. For example, assume you belong to the OU Helpdesk, which is a child OU of Support. Some policies would be applied directly by the GPOs associated with the Helpdesk OU, while others would be inherited from the Support OU. Inheritance gives you a means of distributing policies across a wide range without having to micromanage them.

Group policies provide two options to control the way policies are applied and refine inheritance. The No Override option for a policy prevents lower levels of the hierarchy from overriding the policy and applying their own. For example, assume you want to enforce a particular policy across the domain regardless of what administrators of various OUs have defined for the policy. You specify the No Override option for the policy at the domain-level GPO, which then prevents any down-level containers from overriding the policy.

The Block Policy Inheritance option is the second option Windows Server 2003 provides for controlling inheritance. This option prevents policies defined at higher levels of the hierarchy from overriding those assigned to the immediate container. For example, enabling Block Policy Inheritance for the Callcenter child OU would prevent policies defined at the parent Support OU from being applied. Nevertheless, the No Override option always takes precedence over the Block Policy Inheritance option. So, Block Policy Inheritance blocks inheritance of only those policies defined by GPOs for which the No Override option is not set.

You can set the No Override and Block Policy Inheritance options by opening the Properties page for the object and clicking the Group Policy tab. When you do, you’ll see the screen shown previously in Figure B. To set the No Override option, select the policy and click Options. Next, select the No Override check box. To block policy inheritance, simply select the Block Policy Inheritance check box from the main Properties page.

It’s important to understand that you assign the No Override and Block Policy Inheritance options at the GPO level, not at the individual policy level. These two options, therefore, apply to all policies defined by a given GPO, not just selected policies. If a setting is not defined by a higher-level GPO, however, the policies in the current container will apply.