We help IT Professionals succeed at work.

Active Directory + OU's.

dqnet asked
Last Modified: 2012-06-21
Ok guys, this may be a simplistic one but its bugging me.

Basically, I have a domain policy and I am aware that any changes that apply to this domain policy will apply to all usernames.
So a password policy would reside here.

However, I need to apply policy rules to ALL users but NOT server logins.
Applying any settings at the domain level will affect server logins too.

So, I thought of this and just wondering if it would work.
Firstly, each department has an OU. (Marketing, Finance, Developers, etc.. etc...)
Could I put all the company users in an OU called, <COMPANY NAME USERS> for example... and keep the servers out of this OU.
If for example I want to apply a setting to ALL users but NOT servers, all I have to do is apply the setting to the <COMPANY NAME USERS> OU.

Its just I have so many OU's, Each OU has its personal settings and some personal settings need to go accross the board.
The server logins need to be supressed from any USER change. I dont want to affect these logins at all.

A fine example would be:
Finance needs to access the CD-ROM. (This would be in the Finanace OU)
Support doesnt need to access the CD-ROM. (This would recide in the Support OU)
However both groups need to have personalised menus. (This would be the newly created COMPANY NAME USERS> OU which contains them both.

Thanks guys!

Watch Question

would work :)

domain root - server OU
                  - user OU  -usergroup1

and many more groups under user OU (which you're calling company name users).

This one is on us!
(Get your first solution completely free - no credit card required)


Hahaha :) excellent.

BUT... Here is the catch... :(

When I come to move these OU's into a new single OU, I get this error.
Moving objects in Active Directory can prevent your existing system from working the way it was designed. For example, moving an organizational unit (OU) can affect the way that group policies are applied to the accounts within the OU Are you sure you want to move this object?

Standard YES, NO answer.

That’s when I use drag drop.
If I right click on an OU and click: All Tasks --> MOVE it doesn’t say anything and moves it.

What you think? Safe or dodgy? One errors, one doesn’t.

odd it doesn't give the same error on the 2nd way, since it's exactly the same :O

it's not an error tho...just a warning, saying you're changing the way group policies apply to the containers, which is true, because you're moving them, but the change is one you want :) so, no problems


So updating the default domain policy will still propgate through the OU'sinto the other OU's.

For example...

Default domain policy --> Users OU (ive named it that) --> Support
                                                                               --> Finanace
                                                                               --> Marketing

Like I can still make Entire company changes through the defualt domain policy to affect servers and user logins and EACH individual OU in the users login OU???

yes :D

unless you specifically set an OU to not inherit from it's parents (default is what you said).


Ahh... As far as I am aware you cannot set ANY OU to not inherit from the defualt domain policy.
ALL OU's must inherit from the default domain.

I asked that in one of my previous posts... unless i've misundersood here?? :/


Default domain policy --> Users OU (ive named it that) --> Support (MUST INHERITE everything from DEFUALT DOMAIN POLICY)
                                                                               --> Finanace (MUST INHERITE everything from DEFUALT DOMAIN POLICY)
                                                                               --> Marketing (MUST INHERITE everything from DEFUALT DOMAIN POLICY)

                               --> Servers OU (MUST INHERITE everything from DEFUALT DOMAIN POLICY)

Something about no way to stop inheritance at that level, but there is a way to stop it at OU level? so OU to OU is ok, but not Domain to OU ???  

support inherits from users ou and default domain policy, same with all the others.

far as I know, even the default domain policy can be blocked by turning off policy inheritance, but this I have never needed/tried, so not 100% sure. it's not something you seem to need though :) (far as I could read from your first post).


True, Dont really need it.. but.. I'm gonna post another question to find out. After all, I could have kep all OU's in the root and blocked inheritance on the server OU...

What you think?

if you did, you couldn't do company wide policies :) You can only say inherit: yes or no, not which specific policy


Not quite sure I understand.. could you explain?
(Excuse the ignorance).

Points rasied to 200.

well, what you're doing now is creating a container to hold all your other containers (subcontainers, company user groups).

On this container, you can apply a group policy. This policy would then apply to all subcontainers. Therefore, you don't need to use the default domain policy to apply a policy to all divisions in your company. On an OU you can choose if it inherits the policies above it, or doesn't. If it inherits, it merges any policies that already apply to it, with those from it's parent.

Say, your grandfather says you can eat apples, but can't eat pears.
Then your father says you can eat pears.

Result: you can eat both. You, and your brothers and sisters are the company divisions. Your father is the OU you made for them, and the grandfather is the default domain policy.

hope this clarifies :S

oh and for stopping inheritance, if you say block inheritance on the policy that applies to you, then what your father and grandfather say doesn't matter anymore, because you block their policies :)

Top Expert 2006
This one is on us!
(Get your first solution completely free - no credit card required)


I know for sure now, you CAN block policy inheritance on OU's even when they are assigned at domain level providing they are NOT part of the default domain policy. I have yet to try and see if you can block inheritance if modifying the default domain policy.
Now I have two choices, applying company wide policies using anything but the default (creating one at domain level) and blocking them at the servers OU.
Or, like I've already done by creating a container and putting all the OU's in it, then applying policies based on a specific containers avoiding using the new domain policy. I will only use the domain policy for serious company wide changes that need to affect ALL machines including server logins.
I am certainly going to look at security group filtering to see how that may work.

Is the way I approaced it correct / best practise?
1. Container with sub containers (OU's) for users/departments.
2. Server logins in a seperate OU in the root.
and a password policy set in the root domain but NOT under the default domain policy. (keeping that untouched and unused- also u can block inheritance on these)

yes, perfectly done :) exactly as I made it at my company (250 workplaces)

and as described above, you can use security groups, put them in specific containers, and apply policies to those. This way you can do 2 policies on 1 user. I'd recommend experimenting a bit first :P


Star Man!!! :)
Points assigned as I best I thought..!

Thanks folks!! Much appreciated.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.