Recommended Action
5. Group Policy Objects
The following five sub-sections list important properties of all the Group Policy Objects (GPOs) defined on your system. This includes their status, their links to Organizational Units (OUs), account permissions over the GPOs and the various policies defined by them.
Description and Properties for Group Policy Objects
Summary of GPOs defined on the system
Summary of GPOs and their Links to OUs
Summary of OUs and their Links to GPOs
Detailed listing of GPOs defined on the system
GPO Version Discrepancies
5.1 Description and Properties for Group Policy Objects
GPOs are applied in a hierarchical fashion starting with GPOs linked to Containers at the top of the tree and ending with GPO-links at the bottom of the tree. The sequence in which GPOs are applied is:
The Local GPO on the machine used to login to the system
GPOs linked to Sites
Domain-linked GPOs
GPOs linked to Organizational Units
In general, policies applied later override those defined earlier. However, this can be altered by the ‘No Override’ and
‘Block Inheritance’ options, by disabling a GPO-link or a Policy Configuration segment, or by removing ‘Read’ or
‘Apply Policy’ access from accounts.
Explanation of Common Terms
What follows is an explanation of the common terms used in this sub-section:
GPO Display Name. The user-friendly name for the GPO.
GPO Exists on Disk. Indicates whether the GPO physically exists in the SYSVOL directory. If it does not exist it has probably been deleted directly, rather than through the appropriate Group Policy maintenance functions.
Computer Configuration Disabled. Indicates the status of the Computer Configuration part of the GPO. If disabled, the various policies (e.g. Rights definitions) defined in the Computer segment of the GPO are ignored when the system applies policy on the system.
User Configuration Disabled. Indicates the status of the User Configuration part of the GPO. If disabled, the various policies defined in the User segment of the GPO are ignored when the system applies policy on the system. This does not affect the policies in the Computer segment of the GPO.
Container. The name of the Container (OU) objects to which the GPO is linked.
Type. The type of the Container object. This can be a Domain, ‘OU’ (Organizational Unit) or Site.
No Override. Indicates whether the policies defined in the GPO can be overridden by conflicting policies linked to other Container at lower levels in the Active Directory tree. If ‘Yes’, policies defined in this GPO cannot be overridden by GPOs linked at lower levels.
Link Disabled. Indicates the status of the GPO-link to the specified Container. If ‘Yes’, the GPO is not applied to that Container. This does not affect links that the GPO may have to other Container objects.
Block Inheritance. Indicates whether policies from higher-level Container are inherited by this Container. If ‘Yes’, policies flowing down from higher-level Container objects are not inherited. If ‘No Override’ and ‘Block Inheritance’
options conflict with each other (i.e. they are both set) the ‘No Override’ option will always take precedence.
Policies Reported On
The following policy definitions are listed for each GPO on your system:
GPO Permissions. Lists the permissions that user accounts and groups have over the GPO. The GPO will not be applied to the account (or members of the group) if it does not have ‘Read’ or ‘Extended Rights’ (Apply Group Policy) access to the GPO.
Rights Policies. Lists the various Rights defined in the GPO. An empty space in the Account Name column indicates that the Right is defined, but is not assigned to anyone. Rights not listed under ‘Rights Defined’ are not defined in the GPO. Rights policies can only be defined in the Computer Configuration part of the GPO.
Event Audit. Lists the various Event Audit settings defined in the GPO. Several events such as when users are logged on, when they access resources, or when they attempt to use special privileges can be configured for the GPO audit. Audited events can only be defined in the Computer Configuration part of the GPO.
Event Logging. This lists the control settings such as size and retention method for the Application, Security and System event logs. Event logging can only be defined in the Computer Configuration part of the GPO.
System Access. Lists the security control settings for the password and lockout policy in Windows 200x*
domains. System access can only be defined in the Computer Configuration part of the GPO.
Kerberos Policy. Lists the Kerberos settings defined in the GPO. Kerberos policy can only be defined in the Computer Configuration part of the GPO.
Registry Keys. Lists the various Registry keys
used to configure security settings for the GPO, including
access control, audit, and ownership.
Registry keys can only be defined in the Computer Configuration part of the GPO.5.2 Summary of GPOs defined on the system
There are a total of 6 GPOs defined on your system:
0% (0) exist on disk, but are not linked to any container
50% (3) do not exist on disk
0% (0) have the Computer Configuration Disabled
0% (0) have the User Configuration Disabled
50% (3) are not linked to a container
Policy GUID Display Name GPO
Exists on Disk
Computer Config Disabled
User Config Disabled
Nbr Links
{31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Policy No No No 0
{4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A}
Regional Settings workstations No No No 0
{5471F07B-E3BF-47E6-A2DF-40E55805852D}
New Group Policy Object No No No 0
{6AC1786C-016F-11D2-945F-00C04fB984F9}
Default Domain Controllers Policy Yes No No 1
{F754BFE4-52E2-45B3-9034-36D5C65E8700}
Snake GPO test Yes No No 1
{F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}
Regional and Language Yes No No 1
For details of all GPO properties see worksheet GPOs_Summary in the MS-Excel workbook.
5.3 Summary of GPOs and their Links to OUs
Policy GUID Object Object
Type No O/Ride
Link Disabled
Block Inh at OU Level
GPO