asked on

blocked som

I have an enforced group policy applied to a site.
Servers in an OU in that are in that site have blocked inheritance on.

When running GPRW for the server, it's not showing as an allowed GPO for computer configuration. It's showing in the denied section, reason "Blocked SOM"

What's going on?

Nick Rhode

You wouldn't by chance have block policy inheritance checked would you?

antonioking

ASKER

Yes, but the policy is enforced.
Does policy enforcement not apply to sites?

Nick Rhode

Depends on how its configured. It is probably being blocked on the domain level hence why you see denied. Try and get the results of the GP to narrow down the issue.

Couple methods are here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/c8d89dfa-1138-4ebc-84af-bad1041dd984/default-domian-policy-is-not-getting-applied-getting-error-blocked-som

To get the results of the GP and possibly why or where the problem is.

ASKER CERTIFIED SOLUTION

dlbenson1979

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

antonioking

ASKER

The server is in an OU with blocked inheritance switched on.

The GPO is enforced and is applied to the same site the server is in.

The denied reason is 'Blocked SOM'

antonioking

ASKER

The only OU in my infrastructure with blocked inheritance is the one the server is in

dlbenson1979

What happens to you put a gpo link of the enforced policy into the OU container with blocked inheritance. My guess is that it would work from there.

antonioking

ASKER

Yep, it works.

But I would like to get to the bottom of why it's not applying from the site.

antonioking

ASKER

Ok, I don't know how. Bit after adding the gpo to the OU and removing it, it now shows up as an applied policy in GPRW!

Bizarre!

dlbenson1979

Active directory at it's finest ;)