Stopping domain policy inheritance in GPO

Is there a way to stop inheritance from the default domain policy? I tried to stop inheritance in GPO that is linked to an OU under the domain but it seems like its still getting those policies. Is there any way to stop it?
Thomas NSystems Analyst - Windows System AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Yes you can in group policy management console you need to specifically BLOCK INHERITANCE on the GPO you want to stop the default domain policy.

You simply right click and select blocked inheritance, on the OU.

Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Will, Is that the only way?We are still getting settings from the default domain policy when we do that.
Will SzymkowskiSenior Solution ArchitectCommented:
You can also do a Deny of the default domain policy for a specific account or group (theoretically), however I would not recommend doing this. Blocked Inheritance on the OU will block EVERYTHING Group Policy related. You have to understand that if you only have COMPUTERS in this OU only the COMPUTER POLICIES will be removed from ANY parent GPO's that are being applied from parent OU's.

That means, if your user accounts are located else-where (different OU) that does not have blocked inheritance enabled on that OU as well, then you will still have USER POLICIES being applied when you login to these computers.

Also make sure that your run gpupdate /force after you have applied the policy to force the changes to see them right away.

Hopefully this make sense.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I would remove the Default Domain Policy entirely and create separate GPO's for what you're trying to accomplish.  If any GPO is set to "Enforced", it will override blocking inheritance on any OU.  If you don't wish to remove the Default Domain Policy, and the GPO isn't enforced and you're blocking inheritance & still the GPO is getting applied, I would try checking your domain integrity

#Run DCDiag DNS test - separately, in verbose mode:
dcdiag /test:DNS /v /e /f:dcdiag-DNS.log

#(Optional) Run DNSLINT utility with /ad for AD replication tests:
#Available at
#Note: Replace the IP with actual DC IP address

dnslint /ad /s /v

#Run DCDIAG without DNS test(we add the debug switch /d for more details):
dcdiag /v /d /skip:DNS /f:dcdiag.txt

nslookup gc._msdcs

repadmin /syncall /AeP

repadmin /replsum /bysrc /bydest /sort:delta

If you get errors you can find more details in:

repadmin /showrepl * > showrepl.log

or in csv formatted option:

repadmin /showrepl * /csv > showrepl.csv
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.