1
00:00:00,390 --> 00:00:06,890
You can configure the same policies set in in more than one GPO which can result in GPO conflict.

2
00:00:06,900 --> 00:00:14,190
For example you might enable a policy setting in one GPO disable it in an another and then not configure

3
00:00:14,190 --> 00:00:15,440
it in a sort.

4
00:00:15,510 --> 00:00:16,190
In this case.

5
00:00:16,200 --> 00:00:24,120
The presidents of the GPO determines which policies certain the client applies a GPO of higher precedence

6
00:00:24,330 --> 00:00:30,660
prevails overage approvals lower precedence precedents is shown as a number in the JPM suit.

7
00:00:30,660 --> 00:00:35,810
The smaller the number that is the closer to one the higher the precedent.

8
00:00:35,820 --> 00:00:44,880
Therefore a GPO that has the precedent so one will prevail over the GPO select the relevant HDD container

9
00:00:45,120 --> 00:00:51,110
and then click the group policy inheritance step to view the precedents of each GPO.

10
00:00:51,150 --> 00:00:57,990
When you enable or disable a policy set in a GPO with higher precedence the configured set and takes

11
00:00:57,990 --> 00:00:58,620
effect.

12
00:00:58,620 --> 00:01:04,320
However remember that policy settings are set to not configured by default.

13
00:01:04,500 --> 00:01:11,320
If a policy is set and is not configured in a GPO risk higher precedents they enabled or disabled policy

14
00:01:11,320 --> 00:01:15,670
setting in a GPO was lower precedence will take effect.

15
00:01:15,690 --> 00:01:20,070
You can link more than one GPO to an 82 yes container object.

16
00:01:20,070 --> 00:01:27,760
The link quarter of Gypsy always determines the presidents of GDP always in such a scenario GDP was

17
00:01:27,790 --> 00:01:33,560
with a higher lean quarter take precedence over GDP those with a lower link order.

18
00:01:33,630 --> 00:01:42,000
When you select an hour you in the JPM see the linked group policy objects tab shows the link order

19
00:01:42,240 --> 00:01:44,830
of GPO was linked to that or you.

20
00:01:44,880 --> 00:01:52,410
The default behavior for group policy is that GPO is linked to a higher level container are inherited

21
00:01:52,440 --> 00:01:54,430
by lower level containers.

22
00:01:54,510 --> 00:02:01,770
When a computer starts up or a user logs on group policy a client examines the location of the computer

23
00:02:01,770 --> 00:02:09,510
or user object in 82 years and evaluates the GOP rules with scopes that includes the computer or user

24
00:02:09,720 --> 00:02:18,210
then the client site extensions apply policy settings from these GPO policies apply sequentially beginning

25
00:02:18,210 --> 00:02:25,110
with the policies linked to the site followed by those linked to the domain followed by those linked

26
00:02:25,170 --> 00:02:33,540
to or use from the top level or you down to the or you in which the user or computer object exists.

27
00:02:33,570 --> 00:02:40,710
It is a layer to application of surgeons so a GPO that is applied later in the process because it has

28
00:02:40,860 --> 00:02:43,110
higher precedence over rights.

29
00:02:43,110 --> 00:02:45,770
Surgeons applied earlier in the process.

30
00:02:45,810 --> 00:02:51,680
The sequential application of GP OS creates an effect called policy inheritance.

31
00:02:51,720 --> 00:02:58,680
Policies are inherited so the resultant set of policies for a user or a computer will be the cumulative

32
00:02:58,680 --> 00:03:06,660
effect of site domain or you policies by default inherited G bills have lower precedence than GPO is

33
00:03:06,660 --> 00:03:08,900
linked directly to the container.

34
00:03:08,910 --> 00:03:15,750
For example you might configure a policy certain to disable the use of registry edit and tools for all

35
00:03:15,750 --> 00:03:22,340
users in the domain by configuring the policies certain in a GP or linked to the domain.

36
00:03:22,410 --> 00:03:28,700
The GPO and its policies certain are inherited by all users within the domain.

37
00:03:28,710 --> 00:03:36,300
However you probably want administrators to be able to use registry editing tools so you can link a

38
00:03:36,320 --> 00:03:43,890
GPO to the overview that contains administrator of seconds and then configure the policies certain to

39
00:03:43,890 --> 00:03:52,110
allow the use of registered editing tools because the GPO linked to the administrators or you takes

40
00:03:52,110 --> 00:03:55,320
higher precedence than the inherited GPO.

41
00:03:55,380 --> 00:04:01,860
Administrators will be able to use registrar editing tools if there are multiple GP always linked to

42
00:04:01,860 --> 00:04:04,010
an ADT as container object.

43
00:04:04,110 --> 00:04:11,400
The objects link order determines their precedence to change the precedents of a GPO link select the

44
00:04:11,670 --> 00:04:20,130
entity as container object in the GP M.S. consult tree click the linked group policy object step in

45
00:04:20,130 --> 00:04:29,130
the details pane select the GPO use the up down move to top out move to bottom arrows to change the

46
00:04:29,130 --> 00:04:32,140
link order of the selected GPO.

47
00:04:32,220 --> 00:04:37,870
You can configure a domain or you to prevent the inheritance of policies certainly.

48
00:04:37,920 --> 00:04:44,640
This is known as block and inheritance to block inheritance right click the domain or you in the GP

49
00:04:44,640 --> 00:04:51,360
M.S. console tree and then select block inheritance the block inheritance option is a property of a

50
00:04:51,360 --> 00:04:59,830
domain or oyu so it blocks all group policy settings from GPO was linked to parents in the group policy

51
00:04:59,960 --> 00:05:06,880
hierarchy for example when you block inheritance on an all you -- your application begins with and

52
00:05:06,880 --> 00:05:10,290
a GPO is linked directly to that of you.

53
00:05:10,370 --> 00:05:17,010
Therefore GPO is linked to higher level or use the domain or the site will not apply.

54
00:05:17,060 --> 00:05:19,150
Use block inheritance option.

55
00:05:19,280 --> 00:05:26,030
Carefully because blocking inheritance makes it more difficult to evaluate group policy residence and

56
00:05:26,030 --> 00:05:26,990
inheritance.

57
00:05:26,990 --> 00:05:33,480
With security group filter and you can scope a GPO carefully so that it applies to only the correct

58
00:05:33,480 --> 00:05:40,750
two users and computers in the first place making it unnecessary to use their block inheritance option.

59
00:05:40,750 --> 00:05:49,290
Now additionally you can set a GPO link to be enforced to enforce a GPL link right click the GPO link

60
00:05:49,290 --> 00:05:54,100
in the console tree and then click enforced on the shortcut menu.

61
00:05:54,200 --> 00:06:01,600
When you set a GPO link to be enforced the GPO takes the highest level of precedence or lesser sentence

62
00:06:01,640 --> 00:06:07,640
in the GPO will prevail over any conflict and policy settings in other G bills.

63
00:06:07,730 --> 00:06:14,810
Furthermore a link that is enforced will apply to child containers even when those containers are set

64
00:06:15,020 --> 00:06:21,920
to block inheritance rainforest option causes the policy to apply to all objects within its scope.

65
00:06:21,950 --> 00:06:29,990
The enforced option causes policies to override any conflict and policies and apply regardless of whether

66
00:06:29,990 --> 00:06:32,900
the block inheritance option is in use.

67
00:06:32,900 --> 00:06:39,680
Enforcement is useful when you must configure a GPO that defines the configuration mandated by your

68
00:06:39,800 --> 00:06:43,210
corporate I.T. security and usage policies.

69
00:06:43,220 --> 00:06:49,490
Therefore you should ensure that other GOP laws do not override those surgeons who can do this by enforcing

70
00:06:49,490 --> 00:06:50,160
the GPO.

71
00:06:50,170 --> 00:06:57,140
Whistling now to facilitate evaluation of GPO precedents you can simply select and or you a domain and

72
00:06:57,140 --> 00:07:04,340
then click the group policy inheritance step this step will display the resultant precedents of GP woes

73
00:07:04,610 --> 00:07:11,150
according to GPO link link order inheritance block and Lake link enforcement.

74
00:07:11,150 --> 00:07:15,680
This step does not account for policies that are linked to a site.

75
00:07:15,770 --> 00:07:21,410
Nor does it account for GPO security or WMD my filtering.