How do I prevent a single GPO from being inherited by a child OU?

G

Guest

I have GPO that I do not want to be inherited by a child OU. Is there an
easy way to do this?

For example: the GPO is linked to Sales\Computers, but there is also a
Sales\Computers\Laptops OU that I do not want the GPO applied to.

The only way I can think of to do this is by selecting Block Inheritance on
the Laptops OU, then making sure all of the desired GPO's are Enforced. The
trouble is, I'm in an enterprise network where there are higher-up GPO's that
need to be applied, but I can't Enforce them because I do not have
permissions.

Any suggestions would be greatly appreciated.

Thanks!
 
M

Mark Heitbrink [MVP]

Hi,
I have GPO that I do not want to be inherited by a child OU. Is there an
easy way to do this?
Click to expand...

No.
You can only block inheritance on the OU level, but not on
a single OU.

But you can place your Objects in this OU in a seperate Security Group
and work with DSACLs on the GPO and "deny" read and apply.

Mark
 
G

Guest

Thanks for the reply.

I'm not sure if it makes a difference, but we're using Server 2003, and I'm
using the GPMC.

I figured that this was going to be the only way to block inheritance. I
suppose I could move the child Laptops OU out of the Computers OU so that it
is on the same level as the Computers OU and then this would allow me to
manually re-link the desired GPO's but not worry about the higher-up GPO's.

<sigh> It just seems like this should be fairly simple to do--filter what
OU's the GPO gets blocked/not applied.

BTW, I noticed that this group is win2000.group_policy. I could not find a
general/Windows Server 2003 group policy newsgroup.

-bhall
 
M

Mark Heitbrink [MVP]

Hi,
I'm not sure if it makes a difference, but we're using Server 2003,
and I'm using the GPMC.
Click to expand...

Bestway to do.
There are only some extending changes to the function but not to
the system and technics, how GPO processing works.
I figured that this was going to be the only way to block inheritance. I
suppose I could move the child Laptops OU out of the Computers OU so that it
is on the same level as the Computers OU and then this would allow me to
manually re-link the desired GPO's but not worry about the higher-up GPO's.
Click to expand...

Yepp. Sounds like the easiest way.
BTW, I noticed that this group is win2000.group_policy. I could not find a
general/Windows Server 2003 group policy newsgroup.
Click to expand...

microsoft.public.windows.group_policy

MS changed the NG system with the beginning of Win2003. Prior, they build
newsgroups OS specific. Now they made the NG depending on the technic.

Mark
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

gPO won't take effect 2
GPO not applying to child OU's 0
inheritance question 4
Applying GPO to an OU 1
GPO not being applied to OU 2
GPO security settings not applied 4
Will this work as a first step? 2
ou gpo not applying over domain policy 1

Top