How flags work
The policy that is applied to a client computer is usually the result of multiple policies being merged into one final policy. When merging policies, you can adjust the expected behavior of the final policy, due to the order of applied policies, by using policy flags. Flags define how the policy will handle a specific setting.
For each setting, you can select one of the following flags:
Not apply |
Any setting with this flag is not set by the policy. Since the setting is not set by the policy, it can be changed by other policies applied later. |
Apply |
Settings with the Apply flag will be applied to the client computer. However, when merging policies, it can be overwritten by other policies applied later. When a policy is sent to a client computer containing settings marked with this flag, those settings will change the local configuration of the client computer. Since the setting is not forced, it can still be changed by other policies applied later. |
Force |
Settings with the Force flag have priority and cannot be overwritten by any policy applied later (even if it also has a Force flag). This assures that other policies applied later will not be able to change this setting during merging. When a policy is sent to a client computer containing settings marked with this flag, those settings will change the local configuration of the client computer. |
Scenario: The Administrator wants to allow user John to create or edit policies in his home group and see all policies created by the Administrator including Policies that have Force flags. The Administrator wants John to be able to see all policies, but not edit existing policies created by Administrator. John can only create or edit policies within his Home Group, San Diego. Solution: Administrator has to follow these steps: Create custom static groups and permission sets
Create policies
Result The Policies created by Administrator will be applied first since Force flags were applied to the policy settings. Settings with the Force flag applied have priority and cannot be overwritten by another policy applied later. The policies that are created by user John will be applied after the policies created by the Administrator. To see the final policy order, navigate to More > Groups > San Diego. Select the computer and select Show details. In the Configuration section, click Applied policies. |