If there is a GPO which is applied to all Domain Computers which disables something, is there a way to re-enable the disabled thing for some hosts in the domain, without taking those hosts out of the default Domain Computers group?
In other words, can another GPO, which re-enables the feature that was disabled, be applied to a subset OU, whose member computers are still members of Domain Computers? If so, where exactly in the domain hierarchy should that OU be made, and how should the two GPOs be applied?
Best Answer
Yes, absolutely, this is the very foundation of Group Policy hierarchy. Group Policies are applied in the following order:
Within each of the latter 3, each 'level' can have multiple GPO's and their order is decided by the system administrator. This is called the "link order" and the lowest number is processed last, which means that policy has the final say.
OU policies are applied starting at the "root", and then downwards, if that makes sense.
Here is some good reading on the subject:
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
With regards as to what to actually do with the individual GPO, well that kind of depends on the policy itself, but generally, they have the following three options:
And all that happens is that the very last policy to execute will have the final 'say' on what the final setting with. With the exception of 'Not Configured' where no changes are made. 'Not configured' is the default for all options within Group Policy when you create a new GPO.
So, if your current policy has a setting that is "Enabled", you need to create a GPO with the same setting "Disabled".