Pugazhnetwork

How Does a Client Know Which GPOs to Apply? There are two types of GPOs.  There are GPOs that are configured locally on the client machine and are always processed, and there are GPOs linked within the Active Directory structure itself.  While the client knows that is needs to process its local GPO, it's not as clear which GPOs in the directory structure apply to it.  Within the directory, GPOs can be linked to the following levels: Site Domain Organizational Unit Depending on where the client object is located determines which GPOs it applies.  For example, consider the following scenario: Here we see that the workstation named  Windows 7  is within the Workstations OU that is part of the W2K8Forest.com domain.  Though we don't see it on this screenshot, the  Windows 7  client also belongs to the Active Directory site known as 'Default-First-Site-Name'.  Given this, which GPOs need to be considered by our client machine?  We already know that any local s

So now that we've investigated the structure of a GPO and looked at how clients know which GPOs to apply, it's time to look at how they apply them.  For a client to know which GPOs are assigned to it, and in which order it should apply them, the client needs to check several things: Whether its own Local GPO is configured with it should apply Which site it belongs to (for site-level policies Which domain it belongs to (for domain-level policies) Where in the OU structure it resides (for OU policies) As we said previously, the client identifies which GPOs are assigned to it from within Active Directory by looking at the gPLink attribute of the various containers where it belongs.  From the gPLink attribute on each of its container objects, the client is able to assemble a list of the GPOs it will need to apply, including the order it should apply them (based on location of the GPO, filtering, and Enforcement/Blocking rules).  The  previous post  in this series discusse