Marty said:
If I create a child domain, my understanding is that it inherites the GPO
from the parent/root domain, but the child domain has the ability to over
ride the default GPO with one of it's own, is that correct? If so, what do
I
need to do to make it so that the child domain can not over ride the
policy?
(Set it to ENFORCED in in the GPO manager?)
Marty
Each domain has it's own Default Domain Policy and does NOT inherit to child
domains. Inheritance is within the domain itself to all the OUs and can be
controlled by blocking inheritacnce or filtering per user
account/group/computer account. However, you can have a Site GPO which will
affect any domain in that site, but there are security settings, such as
password settings, etc, that do not work unless they are configured at the
Default Domain Policy.
Site GPOs are usually for stuff like installing AV software or something
more of a generic site wide policy that will affect EVERY machine in the
Site, and needs to be evaluated if that is the overall outcome you are
trying to achieve because a certain setting may unknowingly affect your DCs,
which you may not want to do.
--
Regards,
Ace
G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
