Solved

Inheritance at Domain level. (blocking).

Posted on 2006-06-19
11
675 Views
Last Modified: 2008-03-03
Hi Guys,

OK, in regards to question: http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21887340.html

Now I know you cant BLOCK password policy when they are set at domain level BUT.. the question I now face is what about other things.
Can I set a domain level policy for stopping access to the cdrom for example BUT block it at the server login OU by selecting block policy inheritance.

correct me if i'm wrong, but from the above post, it seems that ANY changes made to a default domain policy at domain level cannot be blocked in any OU below... is this correct? or does this apply to passwords policies only?
0
Comment
Question by:dqnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 65 total points
ID: 16934060
heya mate

your default domain policy should not be touched at all - passwords or other settings, this should be left as is

as far as i know, you cant block policy inheritance of the default domain policy

however, any policy on the root of the domain that ISNT the default, can be blocked using block inheritance

for example, i have a policy on the root of a domain, that maps a certain drive, i can block it if needed, i can also use security filtering to deny certain users applying the policy within an OU where other users reside that i DO want to apply the policy
0
 

Author Comment

by:dqnet
ID: 16934100
Hey Jay Jay!
How ya doing pal?

Ok, so what I gather from your post is this...
You CAN block at domain root ONLY if the settings are NOT in the "Default Domain Policy".
So If i create a NEW policy called TEST and set this to map certain drives upon any login, I CAN block it at the servers login OU??


And the second question is simply, did i make a mistake of setting a password on the "Default Domain Policy"
Just got a bit shaken when you said dont touch your default domain policy.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16934123
heya brother :)

1) yes, that is my understanding and thats what i do as a good practice, setting a policy at the domain root is the same as setting at an OU, same rules apply :)

2) :) its ok, you havent broken anything, but you SHOULD have your password policy as one separate policy on the root. Ideally, you always want your default policy to be clean and untouched :)

make a bit more sense??

i had never actually tried to block the default policy so reading up has been a lesson as well, i always assumed you could block anything!
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16934135
bed time in Aus, ill help you with anything else tomorrow :)
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 60 total points
ID: 16934143
You can use security group filtering as well instead of blocking (blocking is usually only good to create confusion about which policies apply where).
Create security groups according to your GPOs, remove the default "Authenticated Users" from the GPO's Read and Apply permissions, and give those permissions to the security group instead. Make the accounts that should pull the GPO member of the group. That way, you're pretty safe from surprises, and a simple look at the group membership will reveal which policies apply.
0
 

Author Comment

by:dqnet
ID: 16934485
Hey Jay Jay!

Goodnight mate!

Just to let you know bro, I tried it!

I created a 'Main Policy' in the root of the domain and transferred all the password requirements to the new one to keep the Default Domain Policy untouched.
AND, I checked the box 'Block Policy inheritance' on the server logins and made changes to the company wide policy named 'Main Policy' and it DIDNT affect the server users login. GREAT NEWS!

So, you can make changes to the domain ONLY after creating a new policy and you can BLOCK it at any OU level.
I havent tried block inheritance and making a default domain policy change, but thats not a problem.

Excellent news!!!
Thanks for all your help as usual! your a star man!
0
 

Author Comment

by:dqnet
ID: 16934522
Ahh!!! I see, I'll give that shot and give ya a shout oBdA.
Thanks for that, excellent!

Is there a way I can assign you points after I've already accepted an answer?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16938188
good news bro :)

That security filtering is the same as what i was saying above, you can split points if you like, just have to post in community support and ask for a reopen so you can split :)

cheers mate

Jay
0
 

Author Comment

by:dqnet
ID: 16958671
Just put in an application to re-open the question!
Thanks again guys!
0
 

Author Comment

by:dqnet
ID: 16958747
Just split the points!!

Thanks guys!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question