In general, any GPO linked to the domain will have
conflicting settings overriden if a container (OU) down the tree sets block
inheritance. The DDP is no different. However, some policies, like account
policy, will not be affected by block inheritance on regulard OUs since it
will be processed by domain controllers that (presumably) reside in the DC OU.
If you were to set block inheritance on the DC OU, that would be bad. Disabling
the DDP is not bad in and of itself, just not recommended. By default, this GPO
delivers domain account policy (if you don't have any other domain-linked GPOs
doing this). So disabling it without an alternative means that you have no way
to centrally manage account policy. In that case, whatever the default account
policy is on your DCs will be the one in effect--probably not a great thing. One
thing I have recommended in the past is, in whichever domain-linked GPO you
implement domain account policy, set that link as No Override (aka Enforced).
That way you always know that no matter happens downstream, no one can futz up
your account policy.
Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of cflesher
Sent: Monday, February 14, 2005 9:05 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] override default domain policy
I was in a meeting
last week and the issue came up if it is possible to override the default domain
policy and set policies on each domain. I always understood that you couldn't do
this. But if you block inheritance and apply another policy on an OU, what
happens? Furthermore is supposed to happen if the default domain policy is
disabled?
I'm going to test
this, but it would be nice to hear from the experts. I did look back in the
archives for this list, but it seemed like there was mixed feelings on the
possiblities.
Thanks.
Chris Flesher
The University of Chicago
NSIT/DCS
(773)-834-8477
