Best practice GPO for Domain Controllers OU

GPO - Should the Domain Controllers OU be set to block inheritance of other GPO's?
My Exchange 2010 servers suddenly lost connectivity to the Domain Controllers and when checking things out, I found the Domain Controller policy some how dropped the "Domain\Exchange Servers" from an Audit/Manage permission.  Tracking that down, I looked at GPOs and discovered that my Domain Controllers were inheriting all sorts of policies.

So, is it best practice for the OU for the Domain Controllers to block GPO inheritance (and use only the "Default Domain Controller policy"?
Is it best practice to set the "Default Domain policy" to enforced?
Environment: 2012 R2 DCs, Exchange 2010 (and legacy 2003), Functional level at 2008
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
If you have multiple policies defined at domain level in addition to default domain policy, you should block inheritance on domain controller ou to avoid applying those policies on domain controllers
There is no best practice that default domain policy to be enforced
Because once you enforce policy, that policy cannot be blocked on domain controllers ou by enabling block inheritance
Keep minimum policies at domain level or use security filtering so that policy will apply to only specific users
challBOEAuthor Commented:
Thank you.
challBOEAuthor Commented:
Thanks, I will block inheritance.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.