1.1.8 Group Policy SOM

  • Article

The collection of GPOs that apply to a set of policy targets is considered the scope of management (SOM). SOM tells the core Group Policy engine which site-, domain-, or OU-level GPOs apply to a policy target. During policy application, the core Group Policy engine searches for GPOs in the Group Policy Objects container (section 1.1.9) in Active Directory and then determines the SOM by inquiring which site, domain, and OU containers the GPOs are linked to, along with the order of precedence in which they apply to the policy target.

SOM is not an object itself but rather a construct that describes how Group Policy is applied to policy targets from Active Directory hierarchical levels by using GPOs. SOM associates GPOs with policy targets that exist within a site, domain, or OU container object, in accordance with the GPOs that are linked to such objects. This association is established, in order of GPO precedence, within a list of GPO DNs that is contained by the gpLink attribute of the site, domain, or OU container object. For example, there might be GPOs at the domain and OU level that apply to a particular set of policy targets, and the order of precedence might be that the OU-level GPO overrides a GPO at the domain-level in terms of certain policy settings that have priority. The GPO applicability and precedence configuration is resolved through various filtering evaluations that result in a final computed list of GPOs whose settings are applied to one or more policy targets.

All SOM containers have to maintain the following attributes:

SOM DN: The DN of the SOM container, such as a domain container.

gpLink: A directory string value for the gpLink attribute of the SOM container.

gpOptions: An integer value that is used to set the Group Policy inheritance configuration among hierarchical SOM containers. For more information, see [MS-GPOL] section 2.2.2.

SOM object type: Specifies the type of Active Directory container that the SOM represents; one of the following values is assigned to this attribute:

GPLinkOrganizationalUnit: The SOM container object represents an OU.

GPLinkDomain: The SOM container object represents a domain.

GPLinkSite: The SOM container object represents a site.

An Active Directory container comes into scope of management when one or more GPOs are linked to it.