I have some group policies for a several groups that are in conflict with the group policies for most users and computers above them in the OU structure.
So, I created a new group policy in a sub OU with the new settings. My understanding is that the group policy that is applied closest to the user or computer account in the OU structure is the one that is supposed to have its settings applied. However, this is not happening.
The only way I can force the new GPO's policies to apply successfully is to configure deny read and deny apply group policy settings for these users and computers to the GPO I don't want to use.
Is there a better way to ensure that a GPO's settings for one GPO will be applied in a sub OU without having to use deny permissions for the unwanted GPOs above?