Group policy conflicts in Active Directory at IU

In the Indiana University Active Directory, group policy can be inherited, so it is possible to create multiple group policies with conflicting settings. You need to understand this before attempting to resolve or troubleshoot group policy conflicts.

The highest parent container possible is the site. This is followed by the domain, and then each organizational unit (OU) inside of the domain. Each of these OUs can have sub-OUs, an OU inside of an OU. All of these objects have a parent and child relationship. The parent is the place where the object was created, and can be a site, domain, OU, or sub-OU. The child is the object that was created inside of the parent and can be a domain, OU, or sub-OU. Group policy settings are applied as follows:

• If the parent container has a setting configured, and the child container is not configured, the parent container group policy setting applies.
• If the parent container and child container both have a setting configured, and they are compatible, both parent and child container group policy settings apply.
• If the parent container and the child container both have a setting configured, but they are not compatible, the child container setting applies.

You can modify this default behavior by using the No Override or Block Inheritance options, but UITS discourages the use of these options because of the level of complexity they introduce.