Active Directory and Group Policy

I already know what you’re thinking. That means that someone could create a policy at the OU level that overrides a site or domain policy – you’re absolutely correct. In order to control this, Windows 2000 enables two features: No Override and Block Inheritance. This No Override feature is based on the principle that higher levels in the hierarchy should have more control. As such, No Override can be set on site, domain, and OU policies. When this is set, as shown below, these settings override any others in the event of a conflict. Note that settings still merge, but in the event of conflicts, the No Override policy’s settings will take precedence.

By the same token, in some scenarios you may not want block policy settings to a particular OU, like the one containing yor software developers for example. In this case, you can set Block Inheritance on a policy. In this case, any settings that would be inherited from above are ignored.

This leads to another interesting question – what happens when an administrator has set No Override on a domain policy, and another administrator has set Block Inheritance on an OU policy? Clearly a conflict exists, and the answer is simple – No Override always wins.

You should be aware that group policy settings will automatically refresh on a client system approximately every 90 minutes (there is a random offset of 30 minutes), and on a domain controller every 5 minutes by default. If you wish to force a group policy update immediately, you would use the command-line security configuration and analysis tool, secedit.exe. The syntax is below:

To refresh the computer portion of group policy: secedit /refreshpolicy machine_policy
To refresh the user portion if group policy: secedit /refreshpolicy user_policy

One last note with respect to group policy objects. When these are set up, there are security permissions associated with them. By default, the Authenticated Users group is given the ‘Apply Group Policy’ and ‘Read’ permissions to the GPO. If you wanted to filter policy application further, you could change the permissions associated with a GPO. For example, if I removed the permissions above from the Authenticated Users group, and applied them only to the Sales group in my domain, then the settings in this GPO would only be applied to members of the Sales group. Be sure to remember that group policy cannot be applied to groups – however, you now know that policy settings can be filtered to achieve a similar objective.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.