none
Deny group policy - will it revoke applied policies?

    Question

  • Hi,

    I have few questions regarding GPO. Please help in answering those.

    1) We have a server on which nearly 20 GPOs'  are applied (both computer and user settings). If I move the server to a new OU (which do not have any GPO linked), will all the GPOs' applied be rolled back?

    2) If I create a sub OU under the root OU (which has GPO linked) and "block inheritance", will this deny GPO getting applied from root OU? And will this roll back the applied GPO settings?

    Thanks,

    Umesh.S.K

    Tuesday, July 14, 2015 2:46 PM

Answers

  • The easiest way to answer these questions is with the Group Policy Modeling Wizard. it allows you to try out these scenarios without actually moving the objects.

    https://technet.microsoft.com/en-us/library/cc780305(v=ws.10).aspx

    Second point - some GPO settings are "rolled back" when they don't apply. Some aren't. These can be grouped into policy based settings and preference based settings. Read through this article:

    http://deployhappiness.com/policy-or-preference/


    If my answer helped you, check out my blog: Deploy Happiness

    Tuesday, July 14, 2015 2:58 PM
  • hi,

    1      I agree with joseph_moody that some GPO settings are "rolled back" when they don't apply. Some aren'twhen a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used while the preference value will remain in the registry

            For more information ,Please refer to this articlehttp://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx

    2       yes ,The sub  OU  will deny GPO setting from  root OU. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level

                 For more information ,Please refer to this article, https://technet.microsoft.com/en-us/library/cc731076.aspx


    Thursday, July 16, 2015 10:01 AM
  • Hi Umesh,

    By default, group policy will refresh at startup/shutdown, logon/logoff, and at background with 90 minutes interval. After we configure GPO settings, to apply the settings immediately, we need to run command gpupdate/force to forcefully update the settings. However, some settings like startup script, logon script, and folder redirection  need a reboot or re-logon to get them applied. If we disable background refresh for group policy, group policy will stop update automatically at background.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 24, 2015 3:08 AM
    Moderator
  • > My question is, if this stops the update automatically in the
    > background, will the GPO settings that are already applied get revoke? I
    > mean will those applied settings changes to original settings immediately?
     
    No. This only means that new/changed settings only arrive at
    startup/logon, not in the background.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, July 24, 2015 12:19 PM

All replies

  • Hi

     1- New server applied gpo's from root.and user gpo's applied which user logon this new server.

     2- if you enable "block inheritance" any of gpo applied.

    Tuesday, July 14, 2015 2:55 PM
  • The easiest way to answer these questions is with the Group Policy Modeling Wizard. it allows you to try out these scenarios without actually moving the objects.

    https://technet.microsoft.com/en-us/library/cc780305(v=ws.10).aspx

    Second point - some GPO settings are "rolled back" when they don't apply. Some aren't. These can be grouped into policy based settings and preference based settings. Read through this article:

    http://deployhappiness.com/policy-or-preference/


    If my answer helped you, check out my blog: Deploy Happiness

    Tuesday, July 14, 2015 2:58 PM
  • hi,

    1      I agree with joseph_moody that some GPO settings are "rolled back" when they don't apply. Some aren'twhen a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used while the preference value will remain in the registry

            For more information ,Please refer to this articlehttp://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx

    2       yes ,The sub  OU  will deny GPO setting from  root OU. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level

                 For more information ,Please refer to this article, https://technet.microsoft.com/en-us/library/cc731076.aspx


    Thursday, July 16, 2015 10:01 AM
  • Hi,

    Thanks for the reply. I got couple more questions. Sorry for flooding too many questions.

    1) Is that GPO settings should frequently get refreshed in order to stay "applied"?

    2)If  "Turn off group policy refresh in the background" setting  is enabled, does this blocks GPO settings getting applied? If yes, is it as good as denying GPO?

    3) Is there a time limit after which "applied" GPO settings gets rolled back?

    -Umesh.S.K

    Thursday, July 16, 2015 10:11 AM
  • Hi Umesh,

    By default, group policy will refresh at startup/shutdown, logon/logoff, and at background with 90 minutes interval. After we configure GPO settings, to apply the settings immediately, we need to run command gpupdate/force to forcefully update the settings. However, some settings like startup script, logon script, and folder redirection  need a reboot or re-logon to get them applied. If we disable background refresh for group policy, group policy will stop update automatically at background.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 24, 2015 3:08 AM
    Moderator
  • Hi Frank,

    If we disable background refresh for group policy, group policy will stop update automatically at background.

    My question is, if this stops the update automatically in the background, will the GPO settings that are already applied get revoke? I mean will those applied settings changes to original settings immediately?

    -Umesh.S.K

    Friday, July 24, 2015 8:28 AM
  • > My question is, if this stops the update automatically in the
    > background, will the GPO settings that are already applied get revoke? I
    > mean will those applied settings changes to original settings immediately?
     
    No. This only means that new/changed settings only arrive at
    startup/logon, not in the background.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, July 24, 2015 12:19 PM
  • Hi,

    Thanks all for the information you provided. However I would like to summarize as below. Please let me know if this is correct

    1) If GPO is "denied" by "block inheritance", some of the already applied GPO settings on a client machine will get revoke and some remains unchanged.

    2) If background refresh is turned off, new / changed settings will not get applied until client machine is restarted / users log off from the.

    -Umesh.S.K

    Thursday, July 30, 2015 8:21 AM
  • > 1) If GPO is "denied" by "block inheritance", some of the already
    > applied GPO settings on a client machine will get revoke and some
    > remains unchanged.
     
    Yes. Tatooed settings will remain, whereas "fully managed" settings will
    vanish.
     
    > 2) If background refresh is turned off, new / changed settings will not
    > get applied until client machine is restarted / users log off from the.
     
    Yes.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, August 03, 2015 2:18 PM