Simple Active Directory Question

GPO apply inheritence from 1)local computer, 2)site, 3)domain, 4)OU.

My question is what exactly is a site and OU, and where can you apply the GPO.

(1) local computer is just your computer and you apply GPO from LGPO.
(3) Domain is just your domain (e.g. example.com) and you apply it from GPO of the domain controller?

how about OU and site

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

eurotrash

You can apply a GPO at all those levels you mentioned: Local computer, Site, Domain, OU.

Microsoft wrote:

Active Directory site

A location on the network that contains Active Directory servers that communicate directly with each other. A site is defined as one or more well-connected IP subnets.

Organizational unit (OU)

An Active Directory container used within domains. OUs are logical containers into which users, groups, computers, and other OUs are placed. It can only contain objects from its parent domain. An OU is the smallest unit of scope to which a group policy or delegate authority can be applied.

1. Yes
3. Yes, but it isn't the GPO of the DC that you are applying, as they have a specific GPO that doesn't apply to the whole domain. But yes, the GPO when linked to the domain applies to the whole domain.

OU and site:
You can link a GPO to an OU, which means that everything in that OU and beneath will get the GPO's settings.
At site level, everything in a site will get the policies configured for that site.

Obviously there are many exceptions, but that's pretty much that.

blackzone

A site is just a bunch of domain grouped together through some sort of relation?

And what exactly is an OU?

eurotrash

I'd suggest you read some documentation on those subjects, if you really want to know. I already gave you MS's definitions of those objects.
A site is a subnet/group of subnets that are connected by high speed links. A site is physical, unlike a domain which is logical.
An OU does what its name says.

If you're studying for the 294, you should be reading a book for the explanations.
If you're not studying for it, use google and MS technet.

Webmaster

www.techexams.net/technotes/70210/adsintro.shtml

Are you preparing for the 70-294 exam?

blackzone

Not preparing for the exam.

Only thing I know is setting up 1 domain with 1 DC with service on it. Hope I can build on that.

The book I have is more like a reference book with barely any example.

Webmaster

Then you shouldn't have posted this in this forum, but in the off-topic forum instead, to which I will move it.

Danman32

If you open Active Directory Users and Computers, under your domain you'll find lots of folders much like you'd find in a harddrive under Windows Explorer. The folder called Domain Controllers is an Organizational Unit (OU). Folders that look like that are also OUs and can have a Group Policy Object (GPO) linked to them.
Now some of the folders are built-in folders, for example the Users folder and the Computer folder. These are not OUs and can't have GPOs linked to them. Don't ask me why MS did that for those folders, I would have made them OUs as well.

The domain object has a default GPO linked to it, as does the Domain Controllers OU.

If you are just playing, I wouldn't be concerned about sites right now. But FYI, sites are accessed by Sites and Services, and GPOs can be linked to site objects.

If Group Policy Management Console (GPMC) is not installed, you would manage and edit GPOs through the Group Policy tab of the properties of a domain object, an OU object or a site object. If GPMC is installed (or you have SBS 2003) the tab will redirect you to this utility through a button.

Conflicting policies are applied in the order you mentioned, so a local policy will be clobbered by a site policy, a site policy by a domain policy, a domain policy by an OU. OUs can be nested so policies on inner OUs will clobber parent OU policies.

Pamir1

blackzone wrote:

GPO apply inheritence from 1)local computer, 2)site, 3)domain, 4)OU.

My question is what exactly is a site and OU, and where can you apply the GPO.
(1) local computer is just your computer and you apply GPO from LGPO.
(3) Domain is just your domain (e.g. example.com) and you apply it from GPO of the domain controller?

how about OU and site