Block inheritance vs grp policy inheritance tab GPO Status column
Experts need a best practice imput. So you have your domain policy and pol1 applied at domain level and then the pol1 to OU1. Within OU1 you have a new OUA. You do not want OUA to inherit Pol1; only the new pol2 and domain policy. Is it better to right click the ouA from GMAC and block ineritance and then link Pol2 and Domain pol to that OUA or is it best practice to allow inheritance and go to the OUA Group Pol Inheritance tab and change the GPO status of the one you don't want applied e.g. Pol1 to 'all settings disabled'.
Mike Kline
What is in OUA is it users or computers? You could also place those objects in a group and use security filtering so that pol1 is not applied to those objects.
ASKER
Not using filtering and groups. Please based on the that specific scenario I'm looking for best practice on inheritance function. I sick to linking GPO to OU and not using filtering and group manipulating. Shouldn't matter dont think but we'll say users are in the OU and nothing in example is dealing with computers, but i'd think wouldn't matter what was in the OU if taking the example at face value.
I believe selecting Enforced option on Pol2 would be most scalable solution
ASKER
maybe if I reword this...I'm trying to understand whent to use the drop down options "block inheritance" overall vs chosing the gpo from the "group pol inheritance" tab and disabling ones I don't want when you don't want Subdirectory OU to inherit Parent Domomain/OU applied policies> I'm using "sub ou" to strictly depict the fact the OU is within another for whatever reason. I'm just trying to understand the best method of inheritance function and if either places accomplisht the same thing and if either route has a best practice to keep in mind when setting is all. thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, so if i doubl-click and chagne one fpo to disabled it a global change and not specific to the linked GPO to the OU you're in. That is what I'm geting. I'm still unclear how 'enforce helps me here'. If i am trying to not inherit pol1 but to inherit default domain pol as well as the new pol2 linked to and for the sub domain - ou - sub ou level ou folder do how best do i do that. Block inheritance works by putting a blue ! mark on the ou folder and then only enforcing the newly linked Pol2. I woul have to individually link the default domain pol to that OU separately to get that to apply too, unless i get a better understanding of another best practice method.
domain - default domain pol
ou - pol1
Sub ou - pol2
I want Sub OU to inherit just the default domain pol and Pol2 ??
thx
domain - default domain pol
ou - pol1
Sub ou - pol2
I want Sub OU to inherit just the default domain pol and Pol2 ??
thx
Have you thought about breaking subOU into its own OU so it just doesn't inherit pol1?
The block inheritance method you went through also works but I'd make it its own OU.
Thanks
Mike
The block inheritance method you went through also works but I'd make it its own OU.
Thanks
Mike
ASKER
unfortunately that would not help, since this new env i've recently been introduced to has 10 plus policies linked to the Domain overall, so the OU under that domain regardless if right off the root of the domain or a sub-domina, root and sub being used as location discripters only, would inherit the domian linked GPOs. I did not design this structure just trying to accomplish something now and not redesign the entire thing at this time. So it seems the "block inheritance" of all and then selectively link the new pol and two of the existing domain pols to the new OU is what I can do to tackle this... working within the scope of the existing structure?
ASKER
Closing. Thank you for imput.