Solved

Inheritance at Domain level. (blocking).

Posted on 2006-06-19
11
636 Views
Last Modified: 2008-03-03
Hi Guys,

OK, in regards to question: http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21887340.html

Now I know you cant BLOCK password policy when they are set at domain level BUT.. the question I now face is what about other things.
Can I set a domain level policy for stopping access to the cdrom for example BUT block it at the server login OU by selecting block policy inheritance.

correct me if i'm wrong, but from the above post, it seems that ANY changes made to a default domain policy at domain level cannot be blocked in any OU below... is this correct? or does this apply to passwords policies only?
0
Comment
Question by:dqnet
  • 5
  • 4
11 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 65 total points
Comment Utility
heya mate

your default domain policy should not be touched at all - passwords or other settings, this should be left as is

as far as i know, you cant block policy inheritance of the default domain policy

however, any policy on the root of the domain that ISNT the default, can be blocked using block inheritance

for example, i have a policy on the root of a domain, that maps a certain drive, i can block it if needed, i can also use security filtering to deny certain users applying the policy within an OU where other users reside that i DO want to apply the policy
0
 

Author Comment

by:dqnet
Comment Utility
Hey Jay Jay!
How ya doing pal?

Ok, so what I gather from your post is this...
You CAN block at domain root ONLY if the settings are NOT in the "Default Domain Policy".
So If i create a NEW policy called TEST and set this to map certain drives upon any login, I CAN block it at the servers login OU??


And the second question is simply, did i make a mistake of setting a password on the "Default Domain Policy"
Just got a bit shaken when you said dont touch your default domain policy.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
heya brother :)

1) yes, that is my understanding and thats what i do as a good practice, setting a policy at the domain root is the same as setting at an OU, same rules apply :)

2) :) its ok, you havent broken anything, but you SHOULD have your password policy as one separate policy on the root. Ideally, you always want your default policy to be clean and untouched :)

make a bit more sense??

i had never actually tried to block the default policy so reading up has been a lesson as well, i always assumed you could block anything!
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
bed time in Aus, ill help you with anything else tomorrow :)
0
 
LVL 82

Assisted Solution

by:oBdA
oBdA earned 60 total points
Comment Utility
You can use security group filtering as well instead of blocking (blocking is usually only good to create confusion about which policies apply where).
Create security groups according to your GPOs, remove the default "Authenticated Users" from the GPO's Read and Apply permissions, and give those permissions to the security group instead. Make the accounts that should pull the GPO member of the group. That way, you're pretty safe from surprises, and a simple look at the group membership will reveal which policies apply.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:dqnet
Comment Utility
Hey Jay Jay!

Goodnight mate!

Just to let you know bro, I tried it!

I created a 'Main Policy' in the root of the domain and transferred all the password requirements to the new one to keep the Default Domain Policy untouched.
AND, I checked the box 'Block Policy inheritance' on the server logins and made changes to the company wide policy named 'Main Policy' and it DIDNT affect the server users login. GREAT NEWS!

So, you can make changes to the domain ONLY after creating a new policy and you can BLOCK it at any OU level.
I havent tried block inheritance and making a default domain policy change, but thats not a problem.

Excellent news!!!
Thanks for all your help as usual! your a star man!
0
 

Author Comment

by:dqnet
Comment Utility
Ahh!!! I see, I'll give that shot and give ya a shout oBdA.
Thanks for that, excellent!

Is there a way I can assign you points after I've already accepted an answer?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
good news bro :)

That security filtering is the same as what i was saying above, you can split points if you like, just have to post in community support and ask for a reopen so you can split :)

cheers mate

Jay
0
 

Author Comment

by:dqnet
Comment Utility
Just put in an application to re-open the question!
Thanks again guys!
0
 

Author Comment

by:dqnet
Comment Utility
Just split the points!!

Thanks guys!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now