This video will look at using the Group Policy options block and enforce. These options allow you to change the way Group Policy is processed in your domain; however this does make things more complex. This video also looks at ways that Group Policy can be deployed to minimize the need for enforce and blocking Group Policy.
Download the pdf handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gp-enforce-block.pdf
Group Policy Processing
Group Policy is processed in the following order: local, site, domain, OU. If there are multiple Group Policies applied to the same OU, a link order is used to determine which Group Policy will have preference over the other. A Group Policy with a lower link order number takes priority over a Group Policy with a higher link order. For this reason, the Group Polices will be applied from highest link order or lowest link order.
Blocking Group Policy is useful when you have multiple Group Polices and you do not want settings to be inherited. Without the blocking option, you need to reverse any Group Policy settings applied previously. The problem when blocking is not used is that settings can be added later on. The administrator would need to reverse the new Group Policy settings later on if they did not want them.
Block inheritance is configured at the OU level. Once configured it blocks all the settings configured by Group Policy above it. This allows the administrator to start again without having to worry about what settings have already been configured.
Individual Group Polices can be configured with the enforce option. This will ensure that the settings in the Group Policy are applied even if an OU is configured to block inheritance. To achieve this, the Group Policy with the enforce option is moved to the end of the processing order. In other words the processing order goes like this: local, site, domain, OU’s and then enforced Group Polices in the order of OU’s, domain and then site. In other words, the enforced Group Polices are moved to the end and applied in the reverse order that they would normally be applied in.
Group Policy Processing
The computer side of Group Policy is applied when the computer starts up. The user side of Group Policy is applied when the user logs in. This means that the user side of Group Policy will overwrite the computer side of Group Policy if there is a conflict. There are very few Group Policy settings that have the same name in the computer and user side of group policy. For this reason it is rare to have conflicts.
To block inheritance on an OU, right click the OU in Group Policy Management and select the option Block Inheritance.
To enforce a Group Policy, right click on the Group Policy and select the option Enforced.
It is recommended that you use the block and enforce options only when required. In a lot of cases you can avoid using these options by careful planning of your Group Policies.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition” pg 292-294