[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Block inheritnece of Default Domain Policy

Posted on 2010-09-14
10
Medium Priority
?
1,329 Views
Last Modified: 2012-08-13
Greetings Experts:

I have a Default Domain Policy in Active Directory (2008 R2 Server) with scripts that run at logon.  I created a new Group Policy for an OU with different logon scripts and then set the Policy for that OU to "Block Inheritence."  Problem is the scripts from the Default Domain Policy are still running in spite of the Block Inheritance selection.

Can I block inheritance from the Default Domain Policy in 2008 Server?
0
Comment
Question by:yccdadmins
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 14

Expert Comment

by:brendanmeyer
ID: 33677430
on the OU for the users/computers that you dont want to inherit the GP ... select "block inheritence"
then link the GP you want to that OU
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33677955
it's really bad practice to put scripts in the default policy. scripts are run sequential.. normal settings can be undone on lower levels.

create a new top-level gpo for the script and don't force it. then block inheritance. and force the default policy.

that way you get the right script without blocking the rest of the settings.
0
 
LVL 11

Accepted Solution

by:
Sigurdur Haraldsson earned 750 total points
ID: 33689830
The Default Domain policy is enforced by default. This means that even though you block inheritance, it will go through. The right way is to follow p_nuts advice, use top-level gpos for what you're adding and leave the Default Domain policy as it is.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 11

Expert Comment

by:Sigurdur Haraldsson
ID: 33689835
I forgot to add that of course you can remove the enforcement of the Default Domain Policy but do so at your own risk.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33690961
actually even if you choose to stop enforcing the Default Domain policy i would never ever configure settings in the default domain controller policies other than the normal password policy .. and some security settings.

The default domain policy is the meant of the baseline  or bottom line settings like everybody's password should expire in xx days

and even there I would probably set it up in a seperate gpo..

now don't go and get gpo-itus.. and make gpo's for everything as this could slow your logon procedure ...

0
 

Author Comment

by:yccdadmins
ID: 33693236
Block inheritance has never worked for much of the Default Domain Policy (DDP) - even in 2K3.  In 2K3 I new where to override this but I was having trouble finding it in 2K8.  Scripts were placed in the Default Domain Policy because they had to be at the time and I'm trying to undo this.  I wanted to leave the original scripts in place while I set up GPO for lower level OUs.  However, the original scripts were conflicting with changes to the new lower level scripts.  I asked the question incorrectly by asking, "can I block inheritance from the Default Domain Policy in 2008 Server?"  I should have asked...

"How" do I block inheritance from the Default Domain Policy temporarily in 2008 server while I create new OUs and GPOs so I can remove scripts from the Default Domain Policy?

Sorry for being vague.  I went ahead and came in after hours so I would not affect end users and set up all of the new OUs and GPOs then removed the scripts etc from the Default Domain Policy.

Sighar - you actually answered my origional question by writing yes, I can remove enforcement of the DDP so you should probably get the points but I would still like to know "how" to do this.  The 2008 interface is quite a bit different then 2003 when it comes to group policy and I haven't found this yet.  All I have found while searching the Internet are articles about people trying to block password complexity to lower level OUs and that's not exactly what I was looking for....
0
 
LVL 11

Expert Comment

by:Sigurdur Haraldsson
ID: 33695991
I'm away from any DCs now, but if I remember correctly, you go t Group Policy Management, expand the forest and domains. Select the domain on the left and then you should see a list of the GPOs and their link order on the right. There is should say whether it is enforced or not. Rightclick on the Defaul Domain Policy and uncheck the Enforced option.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33696502
enforced has !  infront of it. right click and unceck enforce to remove it. you can then right click an ou and select block enheritance
0
 

Author Comment

by:yccdadmins
ID: 33696804
Default Domain Policy was not set to Enforced.  It has never been changed so it came out of the box with that setting.  Must be something else.  In 2003 I used to have to select "No override" but I have not been able to find that in 2008.
0
 

Author Closing Comment

by:yccdadmins
ID: 33739729
I think this was the best answer due to the fact that it is best practice as noted by Microsoft.  I removed the scripts from the Default Domain Policy.  I then created new GPO for each OU and applied scripts to the GPO and linked them to the new OUs.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question