Block Policy Inheritance
Blocking
policy inheritance is a function that you configure on the domain or
organizational units. This setting can block the application of GPOs
that are higher in the Active Directory structure than where the setting
is configured. When configured on a top-level organizational unit, this
setting blocks all GPOs from the site and domain from applying to
objects located in the organizational unit where it is configured, and
below.
Note
The
Block Inheritance option does not block the application of local GPOs.
If you want to block local GPOs, it is a best practice to disable them
using a GPO. |
For example, assume you had the Active Directory structure and links shown in Table 1.
Table 1. Example Active Directory Structure and GPO Links
| Active Directory Node | Linked GPO |
|---|
| Fabrikam.com | Default Domain Policy GPO_Domain_Security |
| Finance organizational unit | GPO_Finance_Security |
| AccountsPayable organizational unit (child under Finance) | GPO_AP_Security GPO_AP_Applications |
All of the GPOs in Table 5-9
have computer-related settings, not user-related settings. The standard
Group Policy inheritance and processing would apply all five of these
GPOs to the computer objects located in the AccountsPayable
organizational unit, as shown in Figure 1.
There are
desktop computers located in the AccountsPayable organizational unit. To
block policy inheritance, you configure the setting at the
AccountsPayable organizational unit, as shown in Figure 2. To configure Block Inheritance, right-click the organizational unit, and then click Block Inheritance.
After the Block
Inheritance options configured for the AccountsPayable organizational
unit, the new set of GPOs that will affect the objects appears as shown
in Figure 3.
Important
Note
that all settings in all blocked GPOs will be blocked. The Block
Inheritance option cannot block just some settings in GPOs with weaker
precedence—it blocks all settings in all GPOs. |
Enforce
The
Enforce option for Group Policy is slightly different than the setting
to block inheritance. Enforcement of a GPO and its settings occurs at
the GPO level, not the Active Directory node level. When a GPO is set to
be enforced, the GPO cannot be blocked with any other setting. The GPO
also gains the strongest precedence of all GPOs.
Continuing with the Block Inheritance example, we will now investigate how enforcing a GPO affects the situation. Figure 3 illustrates the current GPO application based on the blocking
of policy inheritance at the AccountsPayable organizational unit. If
the Default Domain Policy were set to be enforced, the result would
appear as shown in Figure 4. To configure the Enforce option on a GPO, right-click the GPO link, and then click Enforce.
You can clearly see
that after the Default Domain Policy is set to be enforced, the GPO
applies through the Active Directory structure. Also, the Default Domain
Policy is now at the top of the precedence list of all GPOs. This means
that all settings configured in this GPO will win any conflict with any
other GPO in the scope of management for an object.
Note
If
multiple GPOs are set to be enforced, the GPOs that are higher in the
Active Directory structure will have stronger precedence. So if the
GPO_AP_Security GPO is set to be enforced, it will have a weaker
precedence than the enforced Default Domain Policy. |
