Applying policies in nested organizational units

In many production environments, user accounts are most often defined in a parent organizational unit and computers are often placed in a child organizational unit (OU). If you have a Group Policy Object that is linked to the child organizational unit for computer policies, but the user accounts are in a parent organizational unit, the user configuration policies linked to the child organizational unit are not applied to the users when they log in to the computers in the child organizational unit. Instead, the user configuration policies linked to the child OU only apply to the users who are in that child OU.

There are two ways to apply different user configuration policies at lower levels in the organizational unit tree:

  • Set the User Configuration policies at the parent level and then configure the child organizational unit to inherit the group policies from the parent.
  • Enable the User Group Policy loopback processing mode group policy in the Group Policy Object linked to the child organizational unit to implement different user configuration policies at each level.

The User Group Policy loopback processing mode group policy is located under Computer Configuration, Policies, Administrative Templates, System, Group Policy. When it is enabled, Active Directory applies the Group Policy Object settings defined for the computers in the child organizational unit to all users.

To enable the loopback policy

  1. Open Administrative Tools, Group Policy Management (gpmc.msc).
  2. Select the Group Policy Object linked to the child organizational unit, right-click, then select Edit.
  3. Expand Computer Configuration to view policies under Group Policy.
  4. Double-click User Group Policy loopback processing mode group policy, the select Enabled.

    For Mode, select Replace if you defined a whole new set of policies or Merge if you are just modifying a subset of policies.