Understand group policy hierarchy

Group policy is extremely useful in helping you accomplish a wide range of tasks, including managing user settings, restricting access to workstation changes, and much more.

If you have had any experience with the Active Directory, you probably know that the AD makes the application of group policies possible. Group policy is extremely useful in helping you accomplish a wide range of tasks, including managing user settings and restricting access to workstation changes. In effect, you can think of group policy as a template applicable to a user's computer and account to control permissions, software behavior, change control, and more.

As useful as group policy is, many administrators—particularly in smaller companies—do not use group policy. Understanding how group policy is applied is the first step in implementing group policy.

One can apply group policy at four levels: local, organizational unit (OU), domain, and site. First applied are local policies, followed by site, domain, and OU. For that reason, a higher level can override policies. For example, a policy set at the local level can be overridden by an OU policy.

In addition, policies fall into two categories: machine and user. Machine policies apply to the user's computer and the user policies apply to the user account.

The application hierarchy described above applies for both machine and user policies.