Solved

Block inheritnece of Default Domain Policy

Posted on 2010-09-14
10
1,316 Views
Last Modified: 2012-08-13
Greetings Experts:

I have a Default Domain Policy in Active Directory (2008 R2 Server) with scripts that run at logon.  I created a new Group Policy for an OU with different logon scripts and then set the Policy for that OU to "Block Inheritence."  Problem is the scripts from the Default Domain Policy are still running in spite of the Block Inheritance selection.

Can I block inheritance from the Default Domain Policy in 2008 Server?
0
Comment
Question by:yccdadmins
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 14

Expert Comment

by:brendanmeyer
Comment Utility
on the OU for the users/computers that you dont want to inherit the GP ... select "block inheritence"
then link the GP you want to that OU
0
 
LVL 13

Expert Comment

by:p_nuts
Comment Utility
it's really bad practice to put scripts in the default policy. scripts are run sequential.. normal settings can be undone on lower levels.

create a new top-level gpo for the script and don't force it. then block inheritance. and force the default policy.

that way you get the right script without blocking the rest of the settings.
0
 
LVL 11

Accepted Solution

by:
sighar earned 250 total points
Comment Utility
The Default Domain policy is enforced by default. This means that even though you block inheritance, it will go through. The right way is to follow p_nuts advice, use top-level gpos for what you're adding and leave the Default Domain policy as it is.
0
 
LVL 11

Expert Comment

by:sighar
Comment Utility
I forgot to add that of course you can remove the enforcement of the Default Domain Policy but do so at your own risk.
0
 
LVL 13

Expert Comment

by:p_nuts
Comment Utility
actually even if you choose to stop enforcing the Default Domain policy i would never ever configure settings in the default domain controller policies other than the normal password policy .. and some security settings.

The default domain policy is the meant of the baseline  or bottom line settings like everybody's password should expire in xx days

and even there I would probably set it up in a seperate gpo..

now don't go and get gpo-itus.. and make gpo's for everything as this could slow your logon procedure ...

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:yccdadmins
Comment Utility
Block inheritance has never worked for much of the Default Domain Policy (DDP) - even in 2K3.  In 2K3 I new where to override this but I was having trouble finding it in 2K8.  Scripts were placed in the Default Domain Policy because they had to be at the time and I'm trying to undo this.  I wanted to leave the original scripts in place while I set up GPO for lower level OUs.  However, the original scripts were conflicting with changes to the new lower level scripts.  I asked the question incorrectly by asking, "can I block inheritance from the Default Domain Policy in 2008 Server?"  I should have asked...

"How" do I block inheritance from the Default Domain Policy temporarily in 2008 server while I create new OUs and GPOs so I can remove scripts from the Default Domain Policy?

Sorry for being vague.  I went ahead and came in after hours so I would not affect end users and set up all of the new OUs and GPOs then removed the scripts etc from the Default Domain Policy.

Sighar - you actually answered my origional question by writing yes, I can remove enforcement of the DDP so you should probably get the points but I would still like to know "how" to do this.  The 2008 interface is quite a bit different then 2003 when it comes to group policy and I haven't found this yet.  All I have found while searching the Internet are articles about people trying to block password complexity to lower level OUs and that's not exactly what I was looking for....
0
 
LVL 11

Expert Comment

by:sighar
Comment Utility
I'm away from any DCs now, but if I remember correctly, you go t Group Policy Management, expand the forest and domains. Select the domain on the left and then you should see a list of the GPOs and their link order on the right. There is should say whether it is enforced or not. Rightclick on the Defaul Domain Policy and uncheck the Enforced option.
0
 
LVL 13

Expert Comment

by:p_nuts
Comment Utility
enforced has !  infront of it. right click and unceck enforce to remove it. you can then right click an ou and select block enheritance
0
 

Author Comment

by:yccdadmins
Comment Utility
Default Domain Policy was not set to Enforced.  It has never been changed so it came out of the box with that setting.  Must be something else.  In 2003 I used to have to select "No override" but I have not been able to find that in 2008.
0
 

Author Closing Comment

by:yccdadmins
Comment Utility
I think this was the best answer due to the fact that it is best practice as noted by Microsoft.  I removed the scripts from the Default Domain Policy.  I then created new GPO for each OU and applied scripts to the GPO and linked them to the new OUs.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now