[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 295
  • Last Modified:

Block inheritance vs grp policy inheritance tab GPO Status column

Experts need a best practice imput.   So you have your domain policy and pol1 applied at domain level and then the pol1 to OU1.  Within OU1 you have a new OUA.  You do not want OUA to inherit Pol1; only the new pol2 and domain policy.  Is it better to right click the ouA from GMAC and block ineritance and then link Pol2 and Domain pol to that OUA or is it best practice to allow inheritance and go to the OUA Group Pol Inheritance tab and change the GPO status of the one you don't want  applied e.g. Pol1 to 'all settings disabled'.
0
dee30
Asked:
dee30
  • 5
  • 3
  • 2
2 Solutions
 
Mike KlineCommented:
What is in OUA is it users or computers?   You could also place those objects in a group and use security filtering so that pol1 is not applied to those objects.
0
 
dee30Author Commented:
Not using filtering and groups.  Please based on the that specific scenario I'm looking for best practice on inheritance function.  I sick to linking GPO to OU and not using filtering and group manipulating.   Shouldn't matter dont think but we'll say users are in the OU and nothing in example is dealing with computers, but i'd think wouldn't matter what was in the OU if taking the example at face value.  
0
 
GovvyCommented:
I believe selecting Enforced option on Pol2 would be most scalable solution
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
dee30Author Commented:
maybe if I reword this...I'm trying to understand whent to use the drop down options "block inheritance" overall vs chosing the gpo from the "group pol inheritance"  tab and disabling ones I don't want when you don't want  Subdirectory OU to inherit Parent Domomain/OU applied policies>  I'm using "sub ou" to strictly depict the fact the OU is within another for whatever reason. I'm just trying to understand the best method of inheritance function and if either places accomplisht the same thing and if either route has a best practice to keep in mind when setting is all.  thx
0
 
GovvyCommented:
You wont be able to set anything from the 'Group Policy Inheritance' tab as that is read-only. If you disable a GPO within a specific OU that would take effect elsewhere too since the object is just a link to the Group Policy Objects container
0
 
Mike KlineCommented:
Just want to put a screenshot to what Govvy stated,  notice in my screenshot how the scroll are sort of grayed out, that tab is an informational tab only.

If you set the pol2 to enforced the other GPOs would still apply.

Thanks

Mike


GPInheritanceTab.jpg
0
 
dee30Author Commented:
Okay, so if i doubl-click and chagne one fpo to disabled it a global change and not specific to the linked GPO to the OU you're in.  That is what I'm geting.  I'm still unclear how 'enforce helps me here'.  If i am trying to not inherit pol1 but to inherit default domain pol as well as the new pol2 linked to and for the sub  domain - ou - sub ou level ou folder do how best do i do that.  Block inheritance works by putting a blue ! mark on the ou folder and then only enforcing the newly linked Pol2.  I woul have to individually link the default domain pol to that OU separately to get that to apply too, unless i get a better understanding of another best practice method.

domain - default domain pol
   ou  - pol1
         Sub ou - pol2  

I want   Sub OU to inherit just the default domain pol and  Pol2   ??

thx
0
 
Mike KlineCommented:
Have you thought about breaking subOU into its own OU so it just doesn't inherit pol1?

The block inheritance method you went through also works but I'd make it its own OU.

Thanks

Mike
0
 
dee30Author Commented:
unfortunately that would not help, since this new env i've recently been introduced to has 10 plus policies linked to the Domain overall, so the OU under that domain regardless if right off the root of the domain or a sub-domina, root and sub being used as location discripters only, would inherit the domian linked GPOs.  I did not design this structure just trying to accomplish something now and not redesign the entire thing at this time.   So it seems the "block inheritance" of all and then selectively link the new pol and two of the existing domain pols to the new OU is what I can do to tackle this... working within the scope of the existing structure?
0
 
dee30Author Commented:
Closing.  Thank you for imput.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now