Active Directory

What is LSDOU

Last Updated: May 6, 2023
1,630

Hello All,

Hope this post finds you in good health and spirit.

What is LSDOU

It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

Group Policy affects all machines and users in an Active Directory container by default and is inherited and cumulative.

The following order is used in processing GPOs:

  •  The local GPO is applied.
  •  GPOs linked to sites are applied.
  •  GPOs linked to domains are applied.
  •   GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied.

Note The processing of GPOs in a specific order is important because each time a policy is applied, it replaces any previous applications of that policy.

A user’s (or computer’s) group policy objects (GPOs) do not all have the same precedence. Later-applied settings may overrule previously-applied settings.

The policies are applied in the hierarchy –> Local machines, Sites, Domains and Organizational Units.(LSDOU)

Group Policy design considerations

The following should be considered for designing group policies.

  • Do not modify default domain and domain controller policies– please use default policies for password related policy only. for baseline settings, please use another group policy and link to domain and domain controller OU.

  • Implement straightforward policies for easy troubleshooting-Please minimize block inheritance, No override and filtering. so it is easier to find out the source of specific setting.

  • Use GPO naming convention– Please do not give any name to any group policy , name should be on group policy setting and scope. e.g if you are creating the group policy for client machines and applying to specific computers, please follow the below gpo naming convention. This is one of example for client related GPO naming convention.

<CL><C><Baseline><FA>

Example – CL-C-BaselineConfig-FA

CL– Client machines

U– User Settings

C– Computer settings

FA/FD/WMI– Filter apply and denied

ST– Site

SVR– Server

DC-Domain Controller

  • GPO setting name-please give the name that indicate the GPO configuration. if GPO is related to computer baseline then use BaselineConfig in GPO name.

  • FA/FD/WMI– Filter apply or Filter denied. If you are going to apply the GPO to specific computers or users then please use the FA in end of group policy name that will indicate the GPO is filter applied that means its only applying to set of users instead all.

  • Minimize linking– Because there may be a chance deleting the original one with seeing who else are using this GPO.Minimizing linking for simplicity.

  • Disable unused part of a group policy object-Group Policy has two components- Computer and User configurations.Only settings that are Not configured, then avoid processing those settings by disabling the unused configuration.

  • Minimize number of GPO’s applied to user or computer-It is better to include many settings in single GPO instead of creating multiple GPO . Microsoft suggests that one GPO with 100 settings will process faster than 100 GPO’s each with one setting.

  • Avoid Linking GPO’s between Domains-Linking GPO across domains has an impact to processing of policies which result in slower user logons.

  • Minimize filtering-To keep simple your environment, try to minimize filtering.

Note: If you have more number of GPO’s for a container, what ever GPO is on top will applied first. If you want you can move GPO’s up and down.

Note: If there is conflict between two GPO’s of same container, the last applied GPO will be effective. i.e., the bottom one will be effect

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day!!!

Recommended contents

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo
Last Updated: May 6, 2023
1,630
Photo of Vipan Kumar

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Check Also
Close
Back to top button