Block inheritnece of Default Domain Policy

Greetings Experts:

I have a Default Domain Policy in Active Directory (2008 R2 Server) with scripts that run at logon.  I created a new Group Policy for an OU with different logon scripts and then set the Policy for that OU to "Block Inheritence."  Problem is the scripts from the Default Domain Policy are still running in spite of the Block Inheritance selection.

Can I block inheritance from the Default Domain Policy in 2008 Server?
yccdadminsAsked:
Who is Participating?
 
Sigurdur HaraldssonConnect With a Mentor System AdministratorCommented:
The Default Domain policy is enforced by default. This means that even though you block inheritance, it will go through. The right way is to follow p_nuts advice, use top-level gpos for what you're adding and leave the Default Domain policy as it is.
0
 
brendanmeyerCommented:
on the OU for the users/computers that you dont want to inherit the GP ... select "block inheritence"
then link the GP you want to that OU
0
 
p_nutsCommented:
it's really bad practice to put scripts in the default policy. scripts are run sequential.. normal settings can be undone on lower levels.

create a new top-level gpo for the script and don't force it. then block inheritance. and force the default policy.

that way you get the right script without blocking the rest of the settings.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
Sigurdur HaraldssonSystem AdministratorCommented:
I forgot to add that of course you can remove the enforcement of the Default Domain Policy but do so at your own risk.
0
 
p_nutsCommented:
actually even if you choose to stop enforcing the Default Domain policy i would never ever configure settings in the default domain controller policies other than the normal password policy .. and some security settings.

The default domain policy is the meant of the baseline  or bottom line settings like everybody's password should expire in xx days

and even there I would probably set it up in a seperate gpo..

now don't go and get gpo-itus.. and make gpo's for everything as this could slow your logon procedure ...

0
 
yccdadminsAuthor Commented:
Block inheritance has never worked for much of the Default Domain Policy (DDP) - even in 2K3.  In 2K3 I new where to override this but I was having trouble finding it in 2K8.  Scripts were placed in the Default Domain Policy because they had to be at the time and I'm trying to undo this.  I wanted to leave the original scripts in place while I set up GPO for lower level OUs.  However, the original scripts were conflicting with changes to the new lower level scripts.  I asked the question incorrectly by asking, "can I block inheritance from the Default Domain Policy in 2008 Server?"  I should have asked...

"How" do I block inheritance from the Default Domain Policy temporarily in 2008 server while I create new OUs and GPOs so I can remove scripts from the Default Domain Policy?

Sorry for being vague.  I went ahead and came in after hours so I would not affect end users and set up all of the new OUs and GPOs then removed the scripts etc from the Default Domain Policy.

Sighar - you actually answered my origional question by writing yes, I can remove enforcement of the DDP so you should probably get the points but I would still like to know "how" to do this.  The 2008 interface is quite a bit different then 2003 when it comes to group policy and I haven't found this yet.  All I have found while searching the Internet are articles about people trying to block password complexity to lower level OUs and that's not exactly what I was looking for....
0
 
Sigurdur HaraldssonSystem AdministratorCommented:
I'm away from any DCs now, but if I remember correctly, you go t Group Policy Management, expand the forest and domains. Select the domain on the left and then you should see a list of the GPOs and their link order on the right. There is should say whether it is enforced or not. Rightclick on the Defaul Domain Policy and uncheck the Enforced option.
0
 
p_nutsCommented:
enforced has !  infront of it. right click and unceck enforce to remove it. you can then right click an ou and select block enheritance
0
 
yccdadminsAuthor Commented:
Default Domain Policy was not set to Enforced.  It has never been changed so it came out of the box with that setting.  Must be something else.  In 2003 I used to have to select "No override" but I have not been able to find that in 2008.
0
 
yccdadminsAuthor Commented:
I think this was the best answer due to the fact that it is best practice as noted by Microsoft.  I removed the scripts from the Default Domain Policy.  I then created new GPO for each OU and applied scripts to the GPO and linked them to the new OUs.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.