Block inheritnece of Default Domain Policy

on the OU for the users/computers that you dont want to inherit the GP ... select "block inheritence"
then link the GP you want to that OU

it's really bad practice to put scripts in the default policy. scripts are run sequential.. normal settings can be undone on lower levels.

create a new top-level gpo for the script and don't force it. then block inheritance. and force the default policy.

that way you get the right script without blocking the rest of the settings.

I forgot to add that of course you can remove the enforcement of the Default Domain Policy but do so at your own risk.

actually even if you choose to stop enforcing the Default Domain policy i would never ever configure settings in the default domain controller policies other than the normal password policy .. and some security settings.

The default domain policy is the meant of the baseline  or bottom line settings like everybody's password should expire in xx days

and even there I would probably set it up in a seperate gpo..

now don't go and get gpo-itus.. and make gpo's for everything as this could slow your logon procedure ...

Block inheritance has never worked for much of the Default Domain Policy (DDP) - even in 2K3.  In 2K3 I new where to override this but I was having trouble finding it in 2K8.  Scripts were placed in the Default Domain Policy because they had to be at the time and I'm trying to undo this.  I wanted to leave the original scripts in place while I set up GPO for lower level OUs.  However, the original scripts were conflicting with changes to the new lower level scripts.  I asked the question incorrectly by asking, "can I block inheritance from the Default Domain Policy in 2008 Server?"  I should have asked...

"How" do I block inheritance from the Default Domain Policy temporarily in 2008 server while I create new OUs and GPOs so I can remove scripts from the Default Domain Policy?

Sorry for being vague.  I went ahead and came in after hours so I would not affect end users and set up all of the new OUs and GPOs then removed the scripts etc from the Default Domain Policy.

Sighar - you actually answered my origional question by writing yes, I can remove enforcement of the DDP so you should probably get the points but I would still like to know "how" to do this.  The 2008 interface is quite a bit different then 2003 when it comes to group policy and I haven't found this yet.  All I have found while searching the Internet are articles about people trying to block password complexity to lower level OUs and that's not exactly what I was looking for....

I'm away from any DCs now, but if I remember correctly, you go t Group Policy Management, expand the forest and domains. Select the domain on the left and then you should see a list of the GPOs and their link order on the right. There is should say whether it is enforced or not. Rightclick on the Defaul Domain Policy and uncheck the Enforced option.

enforced has !  infront of it. right click and unceck enforce to remove it. you can then right click an ou and select block enheritance

Default Domain Policy was not set to Enforced.  It has never been changed so it came out of the box with that setting.  Must be something else.  In 2003 I used to have to select "No override" but I have not been able to find that in 2008.

I think this was the best answer due to the fact that it is best practice as noted by Microsoft.  I removed the scripts from the Default Domain Policy.  I then created new GPO for each OU and applied scripts to the GPO and linked them to the new OUs.