Prevent group policies from applying to particular OU

How can I prevent group policies from applying to particular Organizational Units within a Server 2016 Active Directory domain?
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In the Group Policy Management Console, right-click the OU in question and select Block Inheritance. This will prevent all GPOs linked at a higher level, including the Default Domain Policy GPO, from applying to that OU, except for any GPOs with the Enforced attribute set.

Note that blocking inheritance can make troubleshooting Group Policy issues somewhat more difficult. This setting should be used sparingly, if at all.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

I would go for one of these two options:

1) Set the OU that you want, to block inheritance.  This will work unless the GPO has been set up as an 'enforced' GPO.  This is the best option.

2) You could use security filtering - add the items from the OU that you want to not have the GPO apply to into a global group and set the permissions on the GPO to deny application to that group.  This option means you would have to maintain the group membership - adding or removing objects from the OU won't make the GPO apply / not apply.

A third option that might be even better would be to re-organise your OU setup somehow, but that could be a far bigger task of course!

IT GuyNetwork EngineerAuthor Commented:

I am setting up a new Server 2016 AD forest from scratch and already have an idea of what Organizational Units (OUs) will be created and which OUs I don't want to have any group policies applied to, which OUs need to only have particular group policies applied, and which OUs need to have all group policies applied.

Can you provide me with a guide or instructions on how this should be organized from the very beginning?
Hi Knowledgeable,

I normally start by trying to match the AD structure to the business structure, since decisions and requests will normally come in that direction.

So, for example, if the business is organised (primarily) geographically, then I start with a geographical structure.  If the business is organised functionally, then I start with that structure.

However, in your specific situation, if you are finding that you need to apply an exception to settings flowing from GPOs, then you could look at an alternative structure that won't require that (or at least minimises it).

Maybe this will be your one and only exception?  If so, then your structure might already be pretty much optimal (you never really know), and go with stopping inheritance on that one exception (as above).

It is also worth noting that a few years down the track, the (new) CEO decides to 're-organise' (look like they are making a difference), the existing AD structure suddenly no longer matches the new organisational structure at which point you either start having more day-to-day issues, or you rebuild it to match the 'structure of the week'.

Are you able to supply more details?  It is hard (and probably not very helpful to you) talking in generalities  Happy to have a look if you want me to, but I can't guarantee to come up with anything better than you already have!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.