More specifically, when you choose Enforced for a given GPO, it is moved to the bottom of the list of GPOs that a given user or computer will process. This means that it is processed last and, by virtue of that, overrides any conflicting settings processed earlier. It doesn't prevent downstream GPOs from being processed at all, which is probably an important distinction.
________________________________ From: [EMAIL PROTECTED] on behalf of Bazarewsky, Michael C. Sent: Wed 6/1/2005 12:35 PM To: [email protected] Subject: RE: [ActiveDir] GPO oddity "Enforced" a. k. a. "No Override" takes precedence over "Block Policy Inheritance", see for example http://www.windowsitpro.com/Article/ArticleID/15420/15420.html So the "Enforced" 120 minute overrides the lower 3 minute setting even with "Block Policy Inheritance" set. This is true in Windows 2000 and Windows 2003. -- Michael C. Bazarewsky -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 31, 2005 9:26 AM To: [email protected] Subject: [ActiveDir] GPO oddity We have a Default Domain level GPO that is set to "Enforced". In this GPO, we set a 120 minute screensaver timeout that locks the screensaver after 120 minutes. In a GPO at a lower OU level, we have an OU that has "Block Policy Inheritence" turned on, and a GPO is linked to that OU that sets the screensaver timeout to 3 minutes. For some reason, the users in that OU are getting the default domain GPO timeout of 120 minutes rather than the 3 minute screensaver timeout. I assume if we turn off "Enforced" on the default domain GPO, anyone that belongs to a Block Policy Inheritence OU will get their lower level GPO applied rather than the default domain GPO? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
