OU Exceptions.

[Eugene Mansour]

I'm new to this so my question might sound dumb.
In our domain we have several (Parent) OU's, within those OU's we have
other (Child) OU's. If we need to push out a group policy for all the
(Child) OUs under a (Parent) OU then we just apply a policy to that
(Parent) OU. But if we want to apply it to all the (Child) OUs but
one, then we have to go in to each (Child) OU and apply a group policy
locally. Can we set an exception in the group policy to avoid a
particular (Child) OU?

Other words:
I have a Parent OU and some child OUs (A-G)

- Parent OU
- Child OU (A)
- Child OU (B)
- Child OU (C)
- Child OU (D)
- Child OU (E)
- Child OU (F)
- Child OU (G)

How do I push a group policy to all the Child OUs except (A) with out
going to each child OU and setting up a group policy there?
Any help would be much appreciated.

 

[Laura E. Hunter \(MVP\)]

Configure the "global" GPO and link it to the Parent OU.

Then right-click on the OU that you -don't- want receiving the GPO settings.
Go to Properties-->Group Policy, and place a check-mark next to "Block
Policy Inheritance". (That's on 2K. I think 2K3 calls it something
slightly different, but I don't have a 2K3 box in front of me. It'll be
pretty obvious.)

This will work as long as you haven't configured the Parent OU's GPO with
the "No Override" setting, which would prevent it from being blocked in this
fashion. The regular GPO inheritance will apply to the remainder of your
Child OUs, and they will receive the settings from the GPO attached to the
Parent OU by default.

 

[Chriss3]

Eugene yes you can. Right click the particular OU click properties. Click
Group Policy Tab and click the Block Policy inheritance below and make sure
its checked.

Block policy inheritance
http://www.microsoft.com/windows2000/en/server/help/Block.htm

How does the Group Policy 'No Override' and 'Block Inheritance' work?
http://www.winnetmag.com/Article/ArticleID/15420/15420.html

 

[Brian Desmond [MVP]]

This will work fine, however, if you ever link additional GPOs to the parent
OU, none of them will propogate to Child OU A. If this is a problem, what I
would do is create a security group with every account in OU A, and then add
that group to the ACL on the GPO in question (the one you don't want
applied), and deny the "apply policy" right.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

 

[Cary Shultz [A.D. MVP]]

Eugene,

In addition to what the other's have stated, I am thinking that you can
create this GPO at one of the Child OUs and then simply link it to the other
child OUs. This way you do not have to use the block inheritance check box
as this often causes a problem.

I do like ( and use ) the solution that Brian suggested. You simply create
a security group for filtering....However, this can possibly add to
confusion later on down the road so you need to have this well documented.

HTH,

Cary