• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 55
  • Last Modified:

Prevent group policies from applying to particular OU

How can I prevent group policies from applying to particular Organizational Units within a Server 2016 Active Directory domain?
IT Guy
IT Guy
  • 2
3 Solutions
In the Group Policy Management Console, right-click the OU in question and select Block Inheritance. This will prevent all GPOs linked at a higher level, including the Default Domain Policy GPO, from applying to that OU, except for any GPOs with the Enforced attribute set.

Note that blocking inheritance can make troubleshooting Group Policy issues somewhat more difficult. This setting should be used sparingly, if at all.

I would go for one of these two options:

1) Set the OU that you want, to block inheritance.  This will work unless the GPO has been set up as an 'enforced' GPO.  This is the best option.

2) You could use security filtering - add the items from the OU that you want to not have the GPO apply to into a global group and set the permissions on the GPO to deny application to that group.  This option means you would have to maintain the group membership - adding or removing objects from the OU won't make the GPO apply / not apply.

A third option that might be even better would be to re-organise your OU setup somehow, but that could be a far bigger task of course!

IT GuyNetwork EngineerAuthor Commented:

I am setting up a new Server 2016 AD forest from scratch and already have an idea of what Organizational Units (OUs) will be created and which OUs I don't want to have any group policies applied to, which OUs need to only have particular group policies applied, and which OUs need to have all group policies applied.

Can you provide me with a guide or instructions on how this should be organized from the very beginning?
Hi Knowledgeable,

I normally start by trying to match the AD structure to the business structure, since decisions and requests will normally come in that direction.

So, for example, if the business is organised (primarily) geographically, then I start with a geographical structure.  If the business is organised functionally, then I start with that structure.

However, in your specific situation, if you are finding that you need to apply an exception to settings flowing from GPOs, then you could look at an alternative structure that won't require that (or at least minimises it).

Maybe this will be your one and only exception?  If so, then your structure might already be pretty much optimal (you never really know), and go with stopping inheritance on that one exception (as above).

It is also worth noting that a few years down the track, the (new) CEO decides to 're-organise' (look like they are making a difference), the existing AD structure suddenly no longer matches the new organisational structure at which point you either start having more day-to-day issues, or you rebuild it to match the 'structure of the week'.

Are you able to supply more details?  It is hard (and probably not very helpful to you) talking in generalities  Happy to have a look if you want me to, but I can't guarantee to come up with anything better than you already have!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now