Solved

Block inheritance vs grp policy inheritance tab GPO Status column

Posted on 2011-09-20
10
285 Views
Last Modified: 2012-05-12
Experts need a best practice imput.   So you have your domain policy and pol1 applied at domain level and then the pol1 to OU1.  Within OU1 you have a new OUA.  You do not want OUA to inherit Pol1; only the new pol2 and domain policy.  Is it better to right click the ouA from GMAC and block ineritance and then link Pol2 and Domain pol to that OUA or is it best practice to allow inheritance and go to the OUA Group Pol Inheritance tab and change the GPO status of the one you don't want  applied e.g. Pol1 to 'all settings disabled'.
0
Comment
Question by:dee30
  • 5
  • 3
  • 2
10 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
What is in OUA is it users or computers?   You could also place those objects in a group and use security filtering so that pol1 is not applied to those objects.
0
 

Author Comment

by:dee30
Comment Utility
Not using filtering and groups.  Please based on the that specific scenario I'm looking for best practice on inheritance function.  I sick to linking GPO to OU and not using filtering and group manipulating.   Shouldn't matter dont think but we'll say users are in the OU and nothing in example is dealing with computers, but i'd think wouldn't matter what was in the OU if taking the example at face value.  
0
 
LVL 13

Expert Comment

by:Govvy
Comment Utility
I believe selecting Enforced option on Pol2 would be most scalable solution
0
 

Author Comment

by:dee30
Comment Utility
maybe if I reword this...I'm trying to understand whent to use the drop down options "block inheritance" overall vs chosing the gpo from the "group pol inheritance"  tab and disabling ones I don't want when you don't want  Subdirectory OU to inherit Parent Domomain/OU applied policies>  I'm using "sub ou" to strictly depict the fact the OU is within another for whatever reason. I'm just trying to understand the best method of inheritance function and if either places accomplisht the same thing and if either route has a best practice to keep in mind when setting is all.  thx
0
 
LVL 13

Accepted Solution

by:
Govvy earned 250 total points
Comment Utility
You wont be able to set anything from the 'Group Policy Inheritance' tab as that is read-only. If you disable a GPO within a specific OU that would take effect elsewhere too since the object is just a link to the Group Policy Objects container
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
Comment Utility
Just want to put a screenshot to what Govvy stated,  notice in my screenshot how the scroll are sort of grayed out, that tab is an informational tab only.

If you set the pol2 to enforced the other GPOs would still apply.

Thanks

Mike


GPInheritanceTab.jpg
0
 

Author Comment

by:dee30
Comment Utility
Okay, so if i doubl-click and chagne one fpo to disabled it a global change and not specific to the linked GPO to the OU you're in.  That is what I'm geting.  I'm still unclear how 'enforce helps me here'.  If i am trying to not inherit pol1 but to inherit default domain pol as well as the new pol2 linked to and for the sub  domain - ou - sub ou level ou folder do how best do i do that.  Block inheritance works by putting a blue ! mark on the ou folder and then only enforcing the newly linked Pol2.  I woul have to individually link the default domain pol to that OU separately to get that to apply too, unless i get a better understanding of another best practice method.

domain - default domain pol
   ou  - pol1
         Sub ou - pol2  

I want   Sub OU to inherit just the default domain pol and  Pol2   ??

thx
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Have you thought about breaking subOU into its own OU so it just doesn't inherit pol1?

The block inheritance method you went through also works but I'd make it its own OU.

Thanks

Mike
0
 

Author Comment

by:dee30
Comment Utility
unfortunately that would not help, since this new env i've recently been introduced to has 10 plus policies linked to the Domain overall, so the OU under that domain regardless if right off the root of the domain or a sub-domina, root and sub being used as location discripters only, would inherit the domian linked GPOs.  I did not design this structure just trying to accomplish something now and not redesign the entire thing at this time.   So it seems the "block inheritance" of all and then selectively link the new pol and two of the existing domain pols to the new OU is what I can do to tackle this... working within the scope of the existing structure?
0
 

Author Closing Comment

by:dee30
Comment Utility
Closing.  Thank you for imput.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now