Windows Server

Windows Server 2008 : Configure Group Policy Application Settings

10/29/2010 7:09:05 PM
It’s true that creating and applying a policy can be relatively easy to do. However, over time there have developed ways of manipulating policies to alter the way they apply, to change the order in which they apply, and even to remove all or part of their application.

In this section we will discuss the following alterations:

  • Raising or lowering the link order

  • Disabling a policy

  • Disabling half a policy

  • Deleting a link or a policy

  • Block inheritance

  • Enforce a policy

  • Filter GPO application

Raise or Lower the Link Order

Within each level of Group Policy application (site, domain, OU) is a ranking precedence order in which policies are applied.

For example, in Figure 1, you can see two policies applied to the New York OU. One says No Screensaver Tab, and the other says Include the Screensaver Tab. Which will be applied?

Figure 1. Linked GPO settings.

The way these will be processed is from lowest link to highest link. So, number 2 will be processed first and then number 1. In this case, the No Screensaver Tab policy will win in the conflict.

If two policies within the same level contain values for the same setting, the link order takes precedence. Therefore, if you look at the options to the left of the table, you see that you can alter the link order to ensure that the policy you want to be applied last is number 1 or higher up in the process order than the policy that you want to win.

Disable a Policy

There are many reasons you might want to disable a GPO. Perhaps you are troubleshooting or reorganizing your policy settings. Whatever the case, there are multiple ways to disable (without deleting) a GPO.

One way is to disable it on the level where you are having difficulty. For example, if you have a policy that is applied to multiple OUs, but only one OU is having trouble, you can disable it from that OU by performing the following steps:

In the Group Policy Management tool, locate the OU where you want to disable the policy. Right-click the policy.

Note the checkmark next to Link Enabled. Click Link Enabled to remove that checkmark.

That policy, although still applied to the OU, is now disabled for that OU. The icon now appears slightly dulled.

If you want to disable a policy at the GPO level (which will apply to all applications of that policy), perform the following steps:

In the Group Policy Management tool, locate the Group Policy Objects container under the domain.

Locate and right-click the policy.

Hover over GPO Status and select the option All Settings Disabled. The icon now appears dulled.

Disable Half a Policy

Every policy adds a slight bit of performance overhead to your system during bootup and login. Therefore, if you have a policy that contains only user configuration settings, you might want to disable the computer configuration portion of the policy. That might save you a tiny amount of performance on the policy.

To disable half a policy, perform the following steps:

In the Group Policy Management tool, locate the Group Policy Objects container under the domain.

Locate and right-click the policy.

Hover over GPO Status and under the option All Settings Disabled, elect one of the following options, depending on your needs:

  • User Configuration Settings Disabled

  • Computer Configuration Settings Disabled


Be warned here. You gain only a minor performance increase by disabling half a policy. If, after you disable half a policy, you forget that you’ve done so and have to figure out why a policy you reconfigure isn’t applying, you will have a frustrating search on your hands. Use this feature sparingly and don’t forget to document your settings.

Delete a Link or a Policy

To delete a policy, you can right-click it and click Delete, but depending on where you do this, you will have different results. For example, if you right-click an applied policy within an OU (you can tell it is applied because it has a little shortcut arrow in the bottom corner that you do not see in the Group Policy Objects container) and then click Delete, you will receive the message “Do you want to delete this link? This will not delete the GPO itself.” On the other hand, if you select a policy directly from the Group Policy Objects container, right-click it, and choose Delete, the message you receive is “Do you want to delete this GPO and all links to it in this domain? This will not delete links in other domains.”


Because you are deleting a GPO that may be linked to other parts of your domain, you should take a look at the Scope tab for the policy first and note the other sites, domains, and OUs that have it linked so you can inform any other administrators that you are deleting this policy before you do it.

Block Inheritance

While the typical method of policy application occurs from sites to domains to OUs, and so forth, there may be times when you want to block a policy from being applied. You can use the setting Block Inheritance to block GPOs and their policies from applying down to areas you feel are not applicable.

To accomplish this, you locate the OU (or domain, if you are seeking to block from the site level), right-click, and select Block Inheritance. The OU now has a blue circle with a white exclamation point. This setting will block all policies from above from applying to the OU. Now only the policies applied to that OU will apply. However, there is a way for administrators with greater power to enforce their policies and trump your block inheritance. Read on.

Enforce a Policy

Any time an administrator wants to ensure that a policy is absolutely applied down the food chain, regardless of Block Inheritance settings, you can enforce your policy by using the Enforced option.


In first-release versions of Group Policy with Windows 2000, Enforced was called No Override.

Enforcing policy settings is quite simple: You right-click the GPO link (so you won’t find this in the Group Policy Objects container, but on the links within an OU, at the domain or site level where the policies are actually linked) and then choose Enforced. Note that the link icon changes slightly, to reveal a little lock.

Filter GPO Application

There are several ways to alter the application of a GPO. While turning off the user or computer configuration options may alter the way the policy is applied to a site, domain, or OU (as do the Block Inheritance and Enforced policy options), it does not change the persons or computers within a site, domain, or OU that have the policy applied toward them.

For example, if a group of settings among multiple policies are added up and applied to an OU that has 100 people in it, all 100 will typically have those policies applied.

Now one way to filter this is by using the Security Filtering settings. When you select a policy in the Group Policy Management tool, you see in the Security Filtering portion of the Scope tab (shown in Figure 2) that the default setting is to apply the policy to authenticated users.

Figure 2. Filtering GPO application with security filters.

If you wanted certain persons or computers but not others to have the policy applied, you can create different groups and then add those persons/computers to the groups. You can then remove Authenticated Users by clicking Remove and add in the security groups you have created that you want those policies applied to.


Technically, you cannot attach a GPO to a group. However, you can attach it to an OU and then use security filtering to attach it to a group that is in the OU.

Now this method certainly provides a way to apply policies to only those you want, but you might want to drill down a little deeper and not have a policy apply to someone in the group to which you just applied the policy. You could remove this person from the group, but that might cause other problems. So, how would you alter individuals or groups of individuals who seem locked in to receive this policy?

The key is knowing what is going on under the hood with the GPO. Users who have the policy applied to them have two permissions settings that are explicitly set: Allow Read and Apply Group Policy. These two settings are absolutely necessary if you want the policy applied to the group. You can explicitly deny those abilities to an individual in a group that has the permissions, and this Deny setting will override anything else. You can do this for multiple persons or create a group and deny the group those permissions.

To access the options you want to be in the policy, you select the Delegation tab from within the Group Policy Management tool. Imagine, in this scenario, that you have created special groups to which to apply the policy, and you have removed the Authenticated Users group from the security filtering options. At this point, you need to select the Delegation tab and add the user or group to which you want to explicitly deny access to the policy settings.

In the Delegation tab, click Add, enter the object name to include, and click OK. When it is included, select the object and click Advanced. You now see the security settings over that object. You can purposely select Deny for both the ‘Read’ and ‘Apply Group Policy’ settings.

With the Deny setting chosen, those persons or groups with the Deny setting will be passed over during the security check for policy application because Deny takes precedence over everything else.


You have just learned two different approaches to filtering GPOs from application. One is to apply a GPO through security filtering so that only those you approve apply the policy. The other is to deny the application to those you don’t want the policy applied to. The real difference between the two methods appears when you are tracking a problem. The security filter easily shows you who has it applied, and that should be enough—unless you use the Deny feature. In that case, you have to go to the Delegation tab and click Advanced on every object in the tab to find out if any have the Deny setting on. So it just depends on how methodical you want to be when creating and applying policies in the first place. The preferred, recommended, and cleaner method is the first one: applying a GPO through security filtering.

Other -----------------
- Windows Server 2008 : Create and Apply Group Policies
- Windows Server 2008 : Use Starter GPOs
- Windows Server 2008 : Grasp the Structure of Group Policy
- Troubleshoot Windows Server 2008
- Windows Server 2008 : Use the Command-Line Server Manager (ServerManagerCmd.exe)
- Windows Server 2008 : Perform Role and Feature Management
- Windows Server 2008 : Use Initial Configuration Tasks
- Windows Server 2008 : Install and Configure the File Services Role
- Configure IPv6 in Windows Server 2008
- Windows Server 2008 : Install and Configure the DHCP Server Role
- Windows Server 2008 : Install and Configure the DNS Server Role
- Windows Server 2008 : Configuring Storage
- Windows Server 2008 : The Windows Deployment Service
- Windows Server 2008 : Publishing Applications with TS RemoteApp
- Windows Server 2008 : Deploying Terminal Services Gateway
- Windows Server 2008 : Managing Terminal Services User Connections
- Windows Server 2008 : Configuring Terminal Services Clients
- Windows Server 2008 Server Core : Configuring the Command Window
- Windows Server 2008 Server Core : The Command Line Made Easy
- Windows Server 2008 Server Core : Accessing DLLs Using the RunDLL32 Utility
Most View
- Windows 8 : Applications - Snapping
- Windows 7: Troubleshooting Wireless Network Problems
- Performing Administrative Tasks Using Central Administration (part 22) - Farm Backup and Restore
- Windows Server 2008 : Configuring FTP (part 8) - Managing FTP User Security
- Windows Server 2008: Configuring Routing
- Windows Server 2008 : Installing the Web Server Role (part 9) - Using Windows System Resource Manager
- Sharepoint 2010 : Content Management - In place Records Management
- iPhone Programming : The Image Picker View Controller - Adding the Image Picker to the City Guide Application
- Windows Server 2008 : Perform an Unscheduled Backup of Critical Volumes of a Domain Controller by Using the Windows Interface
- Windows Server 2008: Installing a Read-Only Domain Controller (part 1)
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS