Solved

Block inheritance vs grp policy inheritance tab GPO Status column

Posted on 2011-09-20
10
290 Views
Last Modified: 2012-05-12
Experts need a best practice imput.   So you have your domain policy and pol1 applied at domain level and then the pol1 to OU1.  Within OU1 you have a new OUA.  You do not want OUA to inherit Pol1; only the new pol2 and domain policy.  Is it better to right click the ouA from GMAC and block ineritance and then link Pol2 and Domain pol to that OUA or is it best practice to allow inheritance and go to the OUA Group Pol Inheritance tab and change the GPO status of the one you don't want  applied e.g. Pol1 to 'all settings disabled'.
0
Comment
Question by:dee30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36568433
What is in OUA is it users or computers?   You could also place those objects in a group and use security filtering so that pol1 is not applied to those objects.
0
 

Author Comment

by:dee30
ID: 36568494
Not using filtering and groups.  Please based on the that specific scenario I'm looking for best practice on inheritance function.  I sick to linking GPO to OU and not using filtering and group manipulating.   Shouldn't matter dont think but we'll say users are in the OU and nothing in example is dealing with computers, but i'd think wouldn't matter what was in the OU if taking the example at face value.  
0
 
LVL 13

Expert Comment

by:Govvy
ID: 36568792
I believe selecting Enforced option on Pol2 would be most scalable solution
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:dee30
ID: 36569204
maybe if I reword this...I'm trying to understand whent to use the drop down options "block inheritance" overall vs chosing the gpo from the "group pol inheritance"  tab and disabling ones I don't want when you don't want  Subdirectory OU to inherit Parent Domomain/OU applied policies>  I'm using "sub ou" to strictly depict the fact the OU is within another for whatever reason. I'm just trying to understand the best method of inheritance function and if either places accomplisht the same thing and if either route has a best practice to keep in mind when setting is all.  thx
0
 
LVL 13

Accepted Solution

by:
Govvy earned 250 total points
ID: 36569332
You wont be able to set anything from the 'Group Policy Inheritance' tab as that is read-only. If you disable a GPO within a specific OU that would take effect elsewhere too since the object is just a link to the Group Policy Objects container
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 36569380
Just want to put a screenshot to what Govvy stated,  notice in my screenshot how the scroll are sort of grayed out, that tab is an informational tab only.

If you set the pol2 to enforced the other GPOs would still apply.

Thanks

Mike


GPInheritanceTab.jpg
0
 

Author Comment

by:dee30
ID: 36569435
Okay, so if i doubl-click and chagne one fpo to disabled it a global change and not specific to the linked GPO to the OU you're in.  That is what I'm geting.  I'm still unclear how 'enforce helps me here'.  If i am trying to not inherit pol1 but to inherit default domain pol as well as the new pol2 linked to and for the sub  domain - ou - sub ou level ou folder do how best do i do that.  Block inheritance works by putting a blue ! mark on the ou folder and then only enforcing the newly linked Pol2.  I woul have to individually link the default domain pol to that OU separately to get that to apply too, unless i get a better understanding of another best practice method.

domain - default domain pol
   ou  - pol1
         Sub ou - pol2  

I want   Sub OU to inherit just the default domain pol and  Pol2   ??

thx
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36569495
Have you thought about breaking subOU into its own OU so it just doesn't inherit pol1?

The block inheritance method you went through also works but I'd make it its own OU.

Thanks

Mike
0
 

Author Comment

by:dee30
ID: 36569758
unfortunately that would not help, since this new env i've recently been introduced to has 10 plus policies linked to the Domain overall, so the OU under that domain regardless if right off the root of the domain or a sub-domina, root and sub being used as location discripters only, would inherit the domian linked GPOs.  I did not design this structure just trying to accomplish something now and not redesign the entire thing at this time.   So it seems the "block inheritance" of all and then selectively link the new pol and two of the existing domain pols to the new OU is what I can do to tackle this... working within the scope of the existing structure?
0
 

Author Closing Comment

by:dee30
ID: 36576594
Closing.  Thank you for imput.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question