Blocking the Default Domain Policy from being applied to the Server OU

 Anyway l am trying to block the Default Domain Policy from the Server OU so that the a Configure Automatic Updates is GPO is disabled which is part of the Default Domain Policy.  I am not sure which will be the best way to do this out of these 2 options
1.       Block the Default Domain Policy from the Server OU and create a new Server Default Domain Policy with Configure Automatic Updates disabled  and re-apply all the other domain level GPO directly to the server OU
2.      Create a server security group put all the servers in the group and then block the Default Domain Policy

I would greatly appreciate your assistance with this matter
Phil MapfumoInfrastructure EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dariusz TykaICT Infrastructure Specialist Senior Commented:
Default Domain Policy should not be used for any other settings besides password policy. I would suggest to remove any other setting from DDP and move those to another GPO(s). Then you can apply those GPOs in more granular way.
In addition if you create additional GPO with different setting for Windows Updates and link it to Server OU those settings will override setting from DDP.

Managing inheritance of Group Policy
To apply the settings of a Group Policy object (GPO) to the users and computers of a domain, site, or organizational unit, you can link that domain site or organizational unit to that GPO. You can add one or more GPO links to each domain, site, and organizational unit in Group Policy Management Console. The settings deployed by GPOs linked to higher containers (parent container) in Active Directory are inherited by default to child containers and combine with any settings deployed in GPOs linked to child containers. If multiple GPOs attempt to set a setting to conflicting values, the GPO with the highest precedence sets the setting. GPO processing is based on a last writer wins model, and GPOs that are processed later have precedence over GPOs that are processed sooner. Group Policy objects are processed according to the following order:

1.The local Group Policy object (LPGO) is applied.

2.GPOs linked to sites.

3.GPOs linked to domains

4.GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with parent organizational units are processed prior to GPOs associated with child organizational units.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
inherited policies cannot be blocked by creating security group and security filtering

U need to "Block Inheritance" on servers OU which will block all inherited policies including domain level and upper OU level (except one which are enforced)
This will block all other settings in default domain policy except password and account lockout settings

Then create your different policies or if you already have other policies which need to be applied to servers OU, latch them on server OU directly
Joe FulginitiNetwork EngineerCommented:
1) Remove the auto update entries from your default domain policy.
2) Create another Policy and create the auto update policies there
3) Apply a WMI filter to the new policy as follows:
select * from Win32_OperatingSystem where (ProductType = 1)

Open in new window

Producttype=1 is workstation OSs and will not apply to servers.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

I would back Darius' suggestion of just creating a new GPO linked to the Servers OU, as long as the Default Domain Policy is not enforced (which it should not be).  Configure the GPO with the settings you want for the servers and make sure it has a higher precedence than the Default Domain Policy.

You want to refrain from blocking inheritance and setting enforced policies as much as possible.
Phil MapfumoInfrastructure EngineerAuthor Commented:
Thanks guys for all your input but @ Darius and Footech I will try out your suggestions on a test server first before applying
Phil MapfumoInfrastructure EngineerAuthor Commented:
@Darius would the new GPO I have created work even if there are Sub OUs under the main server OU. Please find the screenshot of attached of the server OU l mean
Dariusz TykaICT Infrastructure Specialist Senior Commented:
Yes it will work for sub OUs as well unless you block inheritance on lower level.
Phil MapfumoInfrastructure EngineerAuthor Commented:
Dariusz  I applied the GPO  directly on the server OU and it took precedence over the Default Domain Policy  many thanks for your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.