asked on

Stopping domain policy inheritance in GPO

Is there a way to stop inheritance from the default domain policy? I tried to stop inheritance in GPO that is linked to an OU under the domain but it seems like its still getting those policies. Is there any way to stop it?

Will Szymkowski

Yes you can in group policy management console you need to specifically BLOCK INHERITANCE on the GPO you want to stop the default domain policy.

You simply right click and select blocked inheritance, on the OU.

Will.

Thomas N

ASKER

Will, Is that the only way?We are still getting settings from the default domain policy when we do that.

ASKER CERTIFIED SOLUTION

Will Szymkowski

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

LionsGateTech

I would remove the Default Domain Policy entirely and create separate GPO's for what you're trying to accomplish. If any GPO is set to "Enforced", it will override blocking inheritance on any OU. If you don't wish to remove the Default Domain Policy, and the GPO isn't enforced and you're blocking inheritance & still the GPO is getting applied, I would try checking your domain integrity

#Run DCDiag DNS test - separately, in verbose mode:
dcdiag /test:DNS /v /e /f:dcdiag-DNS.log

#(Optional) Run DNSLINT utility with /ad for AD replication tests:
#Available at http://support.microsoft.com/kb/321045
#Note: Replace the IP with actual DC IP address

dnslint /ad /s 192.168.1.10 /v

#Run DCDIAG without DNS test(we add the debug switch /d for more details):
dcdiag /v /d /skip:DNS /f:dcdiag.txt

nslookup gc._msdcs

repadmin /syncall /AeP

repadmin /replsum /bysrc /bydest /sort:delta

If you get errors you can find more details in:

repadmin /showrepl * > showrepl.log

or in csv formatted option:

repadmin /showrepl * /csv > showrepl.csv