17 December, 2010

Block Policy Inheritance & No Override

No Override
Also known as "Enforce" in Group Policy Management Console
Setting has to be defined on a Group Policy Object
A Policy with "No Override" or "Enforce" is Enabled cannot be blocked

Block Policy Inheritance
Setting has to be defined on an OU
This when implemented will block all the policies coming from the above level except for the policies on which "No Override" or "Enforce" is Enabled.
Example
In a domain "Contoso.com", we have created 3 OUs - EPS, DS, DS1
We have applied a Group Policy on each OU

EPS - EPS Policy
DS - DS Policy
DS1 - DS1 Policy

Along with, On the "EPS Policy" we have set "No Override" and on DS1 OU we have set "Block Inheritance"

Now, what should be the effect Group Policies that will be finally applied on the OU DS1?

If "No Override" and "Block Inheritance" was not set, then all of the three policies along with the default domain policy would have applied on DS1

But since "No Override" on "EPS Policy" and "Block Inheritance" on DS1 has been set, so the effective policy that will apply will be "EPS Policy" (because of the No-Override Flag" and "DS1 Policy" (because the block policy inheritance will block all the policies ABOVE this OU and not the one which is applied ON this OU"