?
Solved

Block inheritnece of Default Domain Policy

Posted on 2010-09-14
10
Medium Priority
?
1,325 Views
Last Modified: 2012-08-13
Greetings Experts:

I have a Default Domain Policy in Active Directory (2008 R2 Server) with scripts that run at logon.  I created a new Group Policy for an OU with different logon scripts and then set the Policy for that OU to "Block Inheritence."  Problem is the scripts from the Default Domain Policy are still running in spite of the Block Inheritance selection.

Can I block inheritance from the Default Domain Policy in 2008 Server?
0
Comment
Question by:yccdadmins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 14

Expert Comment

by:brendanmeyer
ID: 33677430
on the OU for the users/computers that you dont want to inherit the GP ... select "block inheritence"
then link the GP you want to that OU
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33677955
it's really bad practice to put scripts in the default policy. scripts are run sequential.. normal settings can be undone on lower levels.

create a new top-level gpo for the script and don't force it. then block inheritance. and force the default policy.

that way you get the right script without blocking the rest of the settings.
0
 
LVL 11

Accepted Solution

by:
sighar earned 750 total points
ID: 33689830
The Default Domain policy is enforced by default. This means that even though you block inheritance, it will go through. The right way is to follow p_nuts advice, use top-level gpos for what you're adding and leave the Default Domain policy as it is.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 11

Expert Comment

by:sighar
ID: 33689835
I forgot to add that of course you can remove the enforcement of the Default Domain Policy but do so at your own risk.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33690961
actually even if you choose to stop enforcing the Default Domain policy i would never ever configure settings in the default domain controller policies other than the normal password policy .. and some security settings.

The default domain policy is the meant of the baseline  or bottom line settings like everybody's password should expire in xx days

and even there I would probably set it up in a seperate gpo..

now don't go and get gpo-itus.. and make gpo's for everything as this could slow your logon procedure ...

0
 

Author Comment

by:yccdadmins
ID: 33693236
Block inheritance has never worked for much of the Default Domain Policy (DDP) - even in 2K3.  In 2K3 I new where to override this but I was having trouble finding it in 2K8.  Scripts were placed in the Default Domain Policy because they had to be at the time and I'm trying to undo this.  I wanted to leave the original scripts in place while I set up GPO for lower level OUs.  However, the original scripts were conflicting with changes to the new lower level scripts.  I asked the question incorrectly by asking, "can I block inheritance from the Default Domain Policy in 2008 Server?"  I should have asked...

"How" do I block inheritance from the Default Domain Policy temporarily in 2008 server while I create new OUs and GPOs so I can remove scripts from the Default Domain Policy?

Sorry for being vague.  I went ahead and came in after hours so I would not affect end users and set up all of the new OUs and GPOs then removed the scripts etc from the Default Domain Policy.

Sighar - you actually answered my origional question by writing yes, I can remove enforcement of the DDP so you should probably get the points but I would still like to know "how" to do this.  The 2008 interface is quite a bit different then 2003 when it comes to group policy and I haven't found this yet.  All I have found while searching the Internet are articles about people trying to block password complexity to lower level OUs and that's not exactly what I was looking for....
0
 
LVL 11

Expert Comment

by:sighar
ID: 33695991
I'm away from any DCs now, but if I remember correctly, you go t Group Policy Management, expand the forest and domains. Select the domain on the left and then you should see a list of the GPOs and their link order on the right. There is should say whether it is enforced or not. Rightclick on the Defaul Domain Policy and uncheck the Enforced option.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33696502
enforced has !  infront of it. right click and unceck enforce to remove it. you can then right click an ou and select block enheritance
0
 

Author Comment

by:yccdadmins
ID: 33696804
Default Domain Policy was not set to Enforced.  It has never been changed so it came out of the box with that setting.  Must be something else.  In 2003 I used to have to select "No override" but I have not been able to find that in 2008.
0
 

Author Closing Comment

by:yccdadmins
ID: 33739729
I think this was the best answer due to the fact that it is best practice as noted by Microsoft.  I removed the scripts from the Default Domain Policy.  I then created new GPO for each OU and applied scripts to the GPO and linked them to the new OUs.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question