5

If there is a GPO which is applied to all Domain Computers which disables something, is there a way to re-enable the disabled thing for some hosts in the domain, without taking those hosts out of the default Domain Computers group?

In other words, can another GPO, which re-enables the feature that was disabled, be applied to a subset OU, whose member computers are still members of Domain Computers? If so, where exactly in the domain hierarchy should that OU be made, and how should the two GPOs be applied?

paradroid
  • 858
  • 5
  • 15
  • 28

3 Answers3

10

Yes, absolutely, this is the very foundation of Group Policy hierarchy. Group Policies are applied in the following order:

  1. Local Group Policy (Based on the client machine - this is not connected to your AD Group Policy)
  2. Site Level Policies
  3. Domain Level Policies
  4. OU Level Policies

Within each of the latter 3, each 'level' can have multiple GPO's and their order is decided by the system administrator. This is called the "link order" and the lowest number is processed last, which means that policy has the final say.

OU policies are applied starting at the "root", and then downwards, if that makes sense.

Here is some good reading on the subject:

http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx

With regards as to what to actually do with the individual GPO, well that kind of depends on the policy itself, but generally, they have the following three options:

  • Enabled
  • Disabled
  • Not Configured

And all that happens is that the very last policy to execute will have the final 'say' on what the final setting with. With the exception of 'Not Configured' where no changes are made. 'Not configured' is the default for all options within Group Policy when you create a new GPO.

So, if your current policy has a setting that is "Enabled", you need to create a GPO with the same setting "Disabled".

Dan
  • 15,280
  • 1
  • 35
  • 67
  • 2
    +1. Good point about setting the GPO setting to the opposite (or intended setting). Setting it to Not Configured does not "reverse" the setting, it means "no change will be made to the current setting", which is a point that I think confuses some people when they're working with GP. – joeqwerty Mar 27 '12 at 14:48
  • @joeqwerty Agreed, I've seen that confusion. I was taught to read it as "Not configured in this policy", which always made sense to me. – Dan Mar 28 '12 at 07:47
  • How does it work if there is a policy that applies to "Computer Configuration" that disables something on a specific machine, and there is a policy that applies to "User Configuration" that enables that something for a specific user. What will be the setting for the user on that machine? – Doug Apr 15 '16 at 00:18
  • Can Local Group Policy override a policy with "Not Configured"? Some Chrome policies behave differently when not configured. (ex: [`BookmarkBarEnabled`](https://www.chromium.org/administrators/policy-list-3#BookmarkBarEnabled)) – Stevoisiak May 24 '19 at 16:04
  • @StevenM.Vascellaro Not to my knowledge, unfortunately. "Not Configured" will be ignored if the GPO has been configured higher up, because otherwise everything would become "Not Configured" – Dan May 25 '19 at 08:10
4

In addition to the answers posted already, you could also link the GPO to the domain (rather than creating an OU and moving the computer objects to this OU and linking your GPO to this OU) and use Security Filtering to filter the GPO so that it applies to only the computers required. You would only need to set this GPO's link order higher than the other GPO (the one that disables the setting).

I would suggest creating a group for the affected computers, adding the computer objects to this group, create and link your GPO, set the link order for the GPO, and configure Security Filtering for this GPO to apply only to the group you created for these computers.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • When you say 'set this GPO's link order higher than the other GPO', do you mean a numerically higher Precedence, or higher in the list (which would be a lower numerical Precedence)? – paradroid Mar 27 '12 at 16:03
  • The GPO with the higher link order (with a link order of 1 being the highest) has a higher precedence, and therefore will be applied later (or last) in the GPO process. So for your GPO you want to give it a higher link order (again, with 1 being the highest) than your other GPO's. – joeqwerty Mar 27 '12 at 16:18
2

Yes, the order in which the group policies get applied depends on their placing within the Active Directory structure, following the LSDO order (Local, Site, Domain, Organisational Unit).

So, if your domain computers policy is applied at the domain level, you can apply another policy at the OU level that contains the hosts that you want to override the settings for. The OU-level policy will override any duplicated settings.

Chris McKeown
  • 7,128
  • 1
  • 17
  • 25