Group policy precedence and inheritance in Active Directory

Applying group policies on users makes our task easier. There is the order of how these policies get applied on a user. Group policies on OU (organizational units) have more precedence than domain GPOs which have higher priority than site GPOs and Local GPOs.Policies are applied in

Policies are applied in following order:

1.   Local GPOs
2.   Site GPOs
3.   Domain GPOs
4.   OU GPOs
5.   Enforced GPOs

When new GPO is applied, it overrides the previous one. So, the last one has highest precedence and first one has least. To make it clearer, I’ll explain it with an example.

1 . In the picture below, you can see my Group policy management console, where my site is my Forest and my domain is college.local. In my domain, I have one OU as “nocontrolpannelaccess”. and I have linked it to “nocontrolpannelacessGPO”. I have edited nocontrolpannelaccessGPO in such a way that it will prohibit users to access control panel and other GPO “controlpannelaccess” allows users to use control panel.

This GPO for the OU overrides other GPOs linked to Domain (Default Domain Policy and controlpannelaccess). Thus, the users in OU “nocontrolpannelacessGPO” will not be able to access control panel.

2. If you block inheritance on any OU, then any group policy above this OU doesn’t get applied. As you can see, the container “nocontrolpannelaccess” just has now only one policy on it.

3. If on the other hand, I enforce “controlpannelaccess” policy on domain, then no matter what policy is applied on any OU, enforced policy (controlpannelaccess) will have more precedence. So even users in “nocontrolpannelaccess” OU will now be able to access their control panel.

Add client to Active Directory Domain on Window server 2012

Your domain controller is of no use if you haven’t added machines to it. So here I am going to show simple steps to add client (window server 2008 r2) to window server 2012 domain.

From the AD users and computers of server 2012, right click computers, then go to New|Computer. In the prompt asking for name, give name of your client machine.

Then switch to client machine, and make sure in network settings, DNS is pointing to the correct DNS server. In my case, DNS address is same as IP address of server 2012. To make sure, ping your domain from client machine.

Now, in the system settings of window server 2008, click ‘Provide computer name and domain’ and then ‘change’ (Pic. 2).

In a prompt, select domain, and correctly put the name of your domain in space provided and press OK (Pic. 3).

Congratulations! You just connected your client to your domain.

All about active directory users and computers (Window Server):

As name implies, active directory users and computers is used to manage users, groups, computers, domains, organizational units in Active Directory.  Using this Microsoft Management Console (MMC), you can create new users, reset their passwords, add them to certain groups, grant certain rights, move them, enable or disable them and so on. You can access AD users and computers mmc from tools or by typing “dsa.msc” in run.

If you expand domain name (college.local) in left pane, you can see different containers like builtin, computers, Domain Controllers etc.Builtin contains the automatically created security groups like Administrators, Backup Operators and

Builtin contains the automatically created security groups like Administrators, Backup Operators and many more that Microsoft creates for our easiness. Brief description of each group is given on the right hand.Computers container is the default containers of all workstations or computer objects in active directory.

Computers container is the default containers of all workstations or computer objects in active directory.Domain Controller contains all domain controllers in active directory domain.

Domain Controller contains all domain controllers in active directory domain.

Forest Security Principals contains the objects that belong to trusted external domains.

Users is default containers for all objects in active directory. Objects can be computers, groups, users, etc.

Create a new OU:

Organisational unit is a container in active directory to which group policies can be applied. To create OU, right click on the domain, then new and select organisational unit. Give a unique name in screen and enter OK.

Create a user and add a user to group:

To create a user, right click on OU and then new|user. Follow the prompts to add new user. If you want to add user to a group, then right click the user and select add to a group. In a prompt ‘select groups’, type in the first few words, then click check names. Then select the group you want to the user to be member of. If you are not sure about group name, then click Advanced. Click Find Now to see all the groups.

Note: Ordinary user cannot login into domain controller. The user should be member of ‘domain admins’.

 

There are many other things you can do in AD users and computers like Move a user, create a group, delete a group, reset password, set logon times and so on.