Solved

Inheritance at Domain level. (blocking).

Posted on 2006-06-19
11
680 Views
Last Modified: 2008-03-03
Hi Guys,

OK, in regards to question: http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21887340.html

Now I know you cant BLOCK password policy when they are set at domain level BUT.. the question I now face is what about other things.
Can I set a domain level policy for stopping access to the cdrom for example BUT block it at the server login OU by selecting block policy inheritance.

correct me if i'm wrong, but from the above post, it seems that ANY changes made to a default domain policy at domain level cannot be blocked in any OU below... is this correct? or does this apply to passwords policies only?
0
Comment
Question by:dqnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 65 total points
ID: 16934060
heya mate

your default domain policy should not be touched at all - passwords or other settings, this should be left as is

as far as i know, you cant block policy inheritance of the default domain policy

however, any policy on the root of the domain that ISNT the default, can be blocked using block inheritance

for example, i have a policy on the root of a domain, that maps a certain drive, i can block it if needed, i can also use security filtering to deny certain users applying the policy within an OU where other users reside that i DO want to apply the policy
0
 

Author Comment

by:dqnet
ID: 16934100
Hey Jay Jay!
How ya doing pal?

Ok, so what I gather from your post is this...
You CAN block at domain root ONLY if the settings are NOT in the "Default Domain Policy".
So If i create a NEW policy called TEST and set this to map certain drives upon any login, I CAN block it at the servers login OU??


And the second question is simply, did i make a mistake of setting a password on the "Default Domain Policy"
Just got a bit shaken when you said dont touch your default domain policy.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16934123
heya brother :)

1) yes, that is my understanding and thats what i do as a good practice, setting a policy at the domain root is the same as setting at an OU, same rules apply :)

2) :) its ok, you havent broken anything, but you SHOULD have your password policy as one separate policy on the root. Ideally, you always want your default policy to be clean and untouched :)

make a bit more sense??

i had never actually tried to block the default policy so reading up has been a lesson as well, i always assumed you could block anything!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16934135
bed time in Aus, ill help you with anything else tomorrow :)
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 60 total points
ID: 16934143
You can use security group filtering as well instead of blocking (blocking is usually only good to create confusion about which policies apply where).
Create security groups according to your GPOs, remove the default "Authenticated Users" from the GPO's Read and Apply permissions, and give those permissions to the security group instead. Make the accounts that should pull the GPO member of the group. That way, you're pretty safe from surprises, and a simple look at the group membership will reveal which policies apply.
0
 

Author Comment

by:dqnet
ID: 16934485
Hey Jay Jay!

Goodnight mate!

Just to let you know bro, I tried it!

I created a 'Main Policy' in the root of the domain and transferred all the password requirements to the new one to keep the Default Domain Policy untouched.
AND, I checked the box 'Block Policy inheritance' on the server logins and made changes to the company wide policy named 'Main Policy' and it DIDNT affect the server users login. GREAT NEWS!

So, you can make changes to the domain ONLY after creating a new policy and you can BLOCK it at any OU level.
I havent tried block inheritance and making a default domain policy change, but thats not a problem.

Excellent news!!!
Thanks for all your help as usual! your a star man!
0
 

Author Comment

by:dqnet
ID: 16934522
Ahh!!! I see, I'll give that shot and give ya a shout oBdA.
Thanks for that, excellent!

Is there a way I can assign you points after I've already accepted an answer?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16938188
good news bro :)

That security filtering is the same as what i was saying above, you can split points if you like, just have to post in community support and ask for a reopen so you can split :)

cheers mate

Jay
0
 

Author Comment

by:dqnet
ID: 16958671
Just put in an application to re-open the question!
Thanks again guys!
0
 

Author Comment

by:dqnet
ID: 16958747
Just split the points!!

Thanks guys!
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Learn about cloud computing and its benefits for small business owners.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question