You can set No Override on a specific Group Policy object link so that Group Policy objects linked at a lower-level of Active Directory — closer to the recipient user or computer account — cannot override that policy. If you do this, Group Policy objects linked at the same level, but not as No Override , are also prevented from overriding. If you have several links set to No Override , at the same level of Active Directory, then you need to prioritize them. Links higher in the list have priority on all Configured (that is, Enabled or Disabled ) settings.
If you have linked a specific Group
Policy object to a domain, and set the Group Policy object link to No Override
, then the configured Group Policy settings that the Group Policy object
contains apply to all organizational units under that domain. Group Policy
objects linked to organizational units cannot override that domain-linked Group
Policy object.
You can also block inheritance of
Group Policy from above in Active Directory. This is done by checking Block
Policy inheritance on the Group Policy tab of the Properties sheet of the
domain or organizational unit. This option does not exist for a site.
Some important facts about No
Override and Block Policy are listed below:
# No Override is set on a link, not on a site, domain, organizational unit, or
Group Policy object.
# Block Policy Inheritance is set on a domain or organizational unit, and
therefore applies to all Group Policy objects linked at that level or higher in
Active Directory which can be overridden.
# No Override takes precedence over Block Policy Inheritance if the two are in
conflict.
0 Comments