• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 50
  • Last Modified:

Blocking the Default Domain Policy from being applied to the Server OU

 Anyway l am trying to block the Default Domain Policy from the Server OU so that the a Configure Automatic Updates is GPO is disabled which is part of the Default Domain Policy.  I am not sure which will be the best way to do this out of these 2 options
1.       Block the Default Domain Policy from the Server OU and create a new Server Default Domain Policy with Configure Automatic Updates disabled  and re-apply all the other domain level GPO directly to the server OU
2.      Create a server security group put all the servers in the group and then block the Default Domain Policy

I would greatly appreciate your assistance with this matter
Phil Mapfumo
Phil Mapfumo
2 Solutions
Dariusz TykaICT Infrastructure Specialist Senior Commented:
Default Domain Policy should not be used for any other settings besides password policy. I would suggest to remove any other setting from DDP and move those to another GPO(s). Then you can apply those GPOs in more granular way.
In addition if you create additional GPO with different setting for Windows Updates and link it to Server OU those settings will override setting from DDP.

Managing inheritance of Group Policy
To apply the settings of a Group Policy object (GPO) to the users and computers of a domain, site, or organizational unit, you can link that domain site or organizational unit to that GPO. You can add one or more GPO links to each domain, site, and organizational unit in Group Policy Management Console. The settings deployed by GPOs linked to higher containers (parent container) in Active Directory are inherited by default to child containers and combine with any settings deployed in GPOs linked to child containers. If multiple GPOs attempt to set a setting to conflicting values, the GPO with the highest precedence sets the setting. GPO processing is based on a last writer wins model, and GPOs that are processed later have precedence over GPOs that are processed sooner. Group Policy objects are processed according to the following order:

1.The local Group Policy object (LPGO) is applied.

2.GPOs linked to sites.

3.GPOs linked to domains

4.GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with parent organizational units are processed prior to GPOs associated with child organizational units.
inherited policies cannot be blocked by creating security group and security filtering

U need to "Block Inheritance" on servers OU which will block all inherited policies including domain level and upper OU level (except one which are enforced)
This will block all other settings in default domain policy except password and account lockout settings

Then create your different policies or if you already have other policies which need to be applied to servers OU, latch them on server OU directly
Joe FulginitiNetwork EngineerCommented:
1) Remove the auto update entries from your default domain policy.
2) Create another Policy and create the auto update policies there
3) Apply a WMI filter to the new policy as follows:
select * from Win32_OperatingSystem where (ProductType = 1)

Open in new window

Producttype=1 is workstation OSs and will not apply to servers.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

I would back Darius' suggestion of just creating a new GPO linked to the Servers OU, as long as the Default Domain Policy is not enforced (which it should not be).  Configure the GPO with the settings you want for the servers and make sure it has a higher precedence than the Default Domain Policy.

You want to refrain from blocking inheritance and setting enforced policies as much as possible.
Phil MapfumoInfrastructure EngineerAuthor Commented:
Thanks guys for all your input but @ Darius and Footech I will try out your suggestions on a test server first before applying
Phil MapfumoInfrastructure EngineerAuthor Commented:
@Darius would the new GPO I have created work even if there are Sub OUs under the main server OU. Please find the screenshot of attached of the server OU l mean
Dariusz TykaICT Infrastructure Specialist Senior Commented:
Yes it will work for sub OUs as well unless you block inheritance on lower level.
Phil MapfumoInfrastructure EngineerAuthor Commented:
Dariusz  I applied the GPO  directly on the server OU and it took precedence over the Default Domain Policy  many thanks for your help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now