• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 695
  • Last Modified:

Inheritance at Domain level. (blocking).

Hi Guys,

OK, in regards to question: http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21887340.html

Now I know you cant BLOCK password policy when they are set at domain level BUT.. the question I now face is what about other things.
Can I set a domain level policy for stopping access to the cdrom for example BUT block it at the server login OU by selecting block policy inheritance.

correct me if i'm wrong, but from the above post, it seems that ANY changes made to a default domain policy at domain level cannot be blocked in any OU below... is this correct? or does this apply to passwords policies only?
0
dqnet
Asked:
dqnet
  • 5
  • 4
2 Solutions
 
Jay_Jay70Commented:
heya mate

your default domain policy should not be touched at all - passwords or other settings, this should be left as is

as far as i know, you cant block policy inheritance of the default domain policy

however, any policy on the root of the domain that ISNT the default, can be blocked using block inheritance

for example, i have a policy on the root of a domain, that maps a certain drive, i can block it if needed, i can also use security filtering to deny certain users applying the policy within an OU where other users reside that i DO want to apply the policy
0
 
dqnetAuthor Commented:
Hey Jay Jay!
How ya doing pal?

Ok, so what I gather from your post is this...
You CAN block at domain root ONLY if the settings are NOT in the "Default Domain Policy".
So If i create a NEW policy called TEST and set this to map certain drives upon any login, I CAN block it at the servers login OU??


And the second question is simply, did i make a mistake of setting a password on the "Default Domain Policy"
Just got a bit shaken when you said dont touch your default domain policy.
0
 
Jay_Jay70Commented:
heya brother :)

1) yes, that is my understanding and thats what i do as a good practice, setting a policy at the domain root is the same as setting at an OU, same rules apply :)

2) :) its ok, you havent broken anything, but you SHOULD have your password policy as one separate policy on the root. Ideally, you always want your default policy to be clean and untouched :)

make a bit more sense??

i had never actually tried to block the default policy so reading up has been a lesson as well, i always assumed you could block anything!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Jay_Jay70Commented:
bed time in Aus, ill help you with anything else tomorrow :)
0
 
oBdACommented:
You can use security group filtering as well instead of blocking (blocking is usually only good to create confusion about which policies apply where).
Create security groups according to your GPOs, remove the default "Authenticated Users" from the GPO's Read and Apply permissions, and give those permissions to the security group instead. Make the accounts that should pull the GPO member of the group. That way, you're pretty safe from surprises, and a simple look at the group membership will reveal which policies apply.
0
 
dqnetAuthor Commented:
Hey Jay Jay!

Goodnight mate!

Just to let you know bro, I tried it!

I created a 'Main Policy' in the root of the domain and transferred all the password requirements to the new one to keep the Default Domain Policy untouched.
AND, I checked the box 'Block Policy inheritance' on the server logins and made changes to the company wide policy named 'Main Policy' and it DIDNT affect the server users login. GREAT NEWS!

So, you can make changes to the domain ONLY after creating a new policy and you can BLOCK it at any OU level.
I havent tried block inheritance and making a default domain policy change, but thats not a problem.

Excellent news!!!
Thanks for all your help as usual! your a star man!
0
 
dqnetAuthor Commented:
Ahh!!! I see, I'll give that shot and give ya a shout oBdA.
Thanks for that, excellent!

Is there a way I can assign you points after I've already accepted an answer?
0
 
Jay_Jay70Commented:
good news bro :)

That security filtering is the same as what i was saying above, you can split points if you like, just have to post in community support and ask for a reopen so you can split :)

cheers mate

Jay
0
 
dqnetAuthor Commented:
Just put in an application to re-open the question!
Thanks again guys!
0
 
dqnetAuthor Commented:
Just split the points!!

Thanks guys!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now