SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Alter the order of Group Policy

Nguyen Nguyen included in Homelabs
   577 words   3 minutes 

Note: If you need to zoom in, you can click on the image.

The Group Policy Processing order from strongest to weakest is:

  1. Organizational Unit GPOs
  2. Domain-Level GPOs
  3. Site-level GPOs
  4. Local GPOs
When I think of Group Policy Processing Order, I think of like PEMDAS. However, you can modify the order that the group policy process. Here are some of the actions you can take to modify the order of the Group Policy Processing:
  • Block Inheritance
  • Use then enforced option
  • Security Filter

Block Inheritance

Before I show you how to block inheritance in active directory, we need to understand what is inheritance and how it’s used. Inheritance is when an group policy is assigned to a parent OU and that group policy is passed down to child OU.

For example, I have a workstation (parent OU), and then I have laptops, desktops as my child OU then I assigned a GPO called Save Energy which basically create a custom battery power plan and it assigned to my workstation (Parent OU).

Now what inheritance will do is that it will automatically assign “Save Energy” GPO to the child OU (Desktops, Laptop). We can easily see that process by going to the Group Policy inheritance tab.

To prevent the child OU from receiving policy from the parent, we click on the child OU and right click, a menu will appear and we will click the “Block inheritance”. Afterwards you should see “Block inheritance” have a check mark and that there is a blue exclamation mark next to the file.

Then if we take a look at our Group Policy Inheritance tab, there nothing because the child OU didn’t inherit anything from the parent OU.

Enforced Options

Allows any GPO to have a higher precedence than OU GPO. For example: Let’s say I created a GPO for a OU called Save Energy. We know that OU GPO have the highest precedence. However, we can change that using enforced. Let’s enforced the Default Domain Policy. To do that we will right click on the GPO we want to enforce and click on Enforced.

Before Enforced:

After Enforced:

Now, “Default Domain Policy” has a higher precedence than the OU GPO.

Security Filters

Helpful when you want add another layer of a filter. This mean that the user has to be a member of an child OU and that child OU has to be part of a parent OU.

For example, I created an OU called: “Getting a raise”. Let say I have two people that are in Web Design named: “John Snow”, “Cindy Great”. Let say I want create an GPO that tells people that they got a raise but I don’t want the other people to know. What I can do is create an group of people that got a raise and put it in a security group so that only the “Getting a raise” will apply to just those specific group of people people.

Let’s see that in action shall we.

First, I will create an group called: “Money group”. I’m going to assign Cindy to the group because I notice that she was working hard throughout this year and she should get a raise.

Now, only Cindy is in that group. Now, I’m going click on “Getting a Raise” GPO and remove Authenticated Users, and add “Money Group”

Now, "Getting a Raise" GPO will only apply to the people who are in Marketing Department and in the "Money Group"
Updated on 2023-07-28
 Windows ServerActive DirectoryGroup Policy Object
Back | Home