Default Domain Policy and Block Policy Inheritance

[Anwar Mahmood]

Hi all,

My network has both Active Directory and NDS, and NDS is the "primary"
directory. From what I understand, the default settings in "default
domain policy" relate only to security, and need to be applied to
domain controllers only (there are no local accounts on client PCs
apart from built in ones). All my PCs are identical, and need the same
policy settings, so I've made policy settings in local computer
policy. This means that PCs don't pull down the same settings each
session, but I can still overrule the settings from the network if
necessary. Can I use the "block policy inheritance" feature on the OU
that holds the PC objects to effectively make no "external" policies
apply to the client PCs, primarily to speed things up? If I ever need
to change these policy settings, I can simply create a custom group
policy and assign it to this OU.

Am I correct? What are the implications of blocking the default domain
policy?

Kind regards,

Anwar

 

[Dmitry Korolyov]

You can do this, but it's not a best practice I believe. Troubleshooting
group policy becomes more difficult when you use blocked inheritance. You
should try to achieve the same functionality in alternative way.

I doubt that applying a single policy (Default Domain Policy) would cause a
significant perfomance overhead. Actually, you can barely notice difference
in perfomance while applying group policy using 1 and 10-15 GPOs.