I just prefer using sec. Group filtering over block and enforced flags. In your scenario I would have added explicit denies for the DC group to those GPOs that should not have applied rather than block inheritance.
-----Original Message----- From: "Kamlesh Parmar" <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: 9/15/2006 1:38 PM Subject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings. So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels. So only thing we could come up with to achieve what we wanted was to. 1) Block policy at DC OU 2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain. And also "saving" DCs from domain level general purpose GPOs. Long term, soln is to rethink the OU structure. Kamlesh On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: > > Well, the obvious effect is that it prevents domain-linked policies from > being delivered correctly, including password policy. This is probably not > desirable. I can't think of a good scenario where this would be useful. > > Darren > > ------------------------------ > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *WATSON, BEN > *Sent:* Wednesday, September 13, 2006 9:37 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Block Inheritance on DC OU > > The company I am currently working for has "block inheritance" enabled > for the Domain Controller's OU and apparently whoever enabled this setting > is no longer with the company (or they won't fess up to why they did this). > > > > Although I am curious, what sort of ramifications does enabling "block > inheritance" on the Domain Controller's OU pose? And what reason would you > have to enable this setting on the Domain Controller's OU? With any other > OU, it would be fairly obvious, but being that these are the Domain > Controllers it would seem to be a unique situation. > > > > Thanks as always for your input, > > ~Ben > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Short-term actions X time = long-term accomplishments. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
