Access Denied: Reviewing the No Override Option for GPOs
Review the rules that govern the No Override option for GPOs.
April 16, 2002
[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!]
I have a question about the No Override option on Group Policy Objects (GPOs). Suppose I create a New York organizational unit (OU), and inside New York I create a sub-OU called Servers. Then, I create a GPO for each OU and mark both GPOs as No Override. If I enable conflicting security policies in the GPOs, which GPO—the higher-level or lower-level GPO—wins?
The higher-level GPO wins. For example, if you enable the Audit logon events option in New York's GPO and designate the option No Override, then disable it in the GPO linked to the Servers OU, computers in the Servers OU will audit logon events. Usually, when GPOs conflict, lower-level GPOs override higher-level GPOs; however, policies in a GPO marked as No Override overrule conflicting policies in GPOs linked to lower-level OUs. When multiple GPOs are flagged as No Override, the highest-level GPO wins.
Ordinarily, you define general policies high in the domain and implement exceptions in GPOs linked to lower OUs. Because we usually view lower-level OUs as more specific than their parent OUs, it makes sense for policies defined lower in the OU tree to override policies defined higher in the tree. However, you might have a few policies that you must ensure are configured in a certain way for the whole domain or from a certain point down in your OU hierarchy. No Override addresses this situation. For GPOs flagged as No Override, Windows 2000 views higher OUs as having greater authority, and the highest No Override GPO overrides all other GPOs.
How No Override works, of course, matters most when two GPOs have conflicting policies. A policy in a No Override GPO that's undefined has no effect on lower GPOs in which that policy is defined. For example, if New York's GPO leaves Audit process tracking undefined and the Servers GPO enables Audit process tracking for success and failure, computers in the Servers OU will audit process-tracking events.
About the Author
You May Also Like