-
Title
Explanation of GPO (Group Policy Object) inheritance and Link Order in VGP (Vintela Group Policy) -
Description
Explanation of GPO (Group Policy Object) inheritance and Link Order in VGP (Vintela Group Policy)
-
Resolution
VGP uses a two stage policy application strategy for security and performance benefits. The two stages are accumulation and application.
The accumulation stage involves looking up all of the GPOs applied to a machine and then each client-side extension (CSE) to the VGP framework accumulates all of its settings from each of those GPOs. During the accumulation stage, each CSE must also resolve conflicting setting values to determine a Resultant Set of Policy (RSoP). Once the RSoP has been determined, it may be applied to the VGP client during the application stage. During the application stage, the CSEs will apply the settings to the client by modifying files, running scripts, etc.
GPOs can be linked to a site, a domain, or an organizational unit. You can add one or more GPO Links to each site, domain, and organizational unit using the Group Policy Management Console (GPMC). The settings deployed by GPOs linked to parent containers in Active Directory are inherited by default to child containers and combine with any settings deployed in GPOs linked to child containers. If multiple GPOs attempt to set a setting to conflicting values, the GPO with the highest precedence sets the setting. GPO processing is based on a last writer wins model, and GPOs that are accumulated later have precedence over GPOs that are accumulated sooner.
In VGP, GPOs are accumulated according to the following order:
1. GPOs linked to sites.
2. GPOs linked to domains
3. GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with parent organizational units are processed prior to GPOs associated with child organizational units.
Links to a specific site, domain, or organizational unit are accumulated in reverse sequence based on link order. For example, a GPO with Link Order 1 has highest precedence over other GPOs linked to that container.
Link order is the source of much confusion. Many people erroneously believe that link order refers to the order in which GPOs are applied. This is false. Link order could more accurately be named Link Precedence or GPO Precedence. GPOs at each level in the directory hierarchy will always be applied in reverse link order.
For more information, open GPMC help and lookup precedence of GPO links" in the Index.