Yes, but there are times when you want to affect all
machines or users in a domain and its a pain to have to link those policies to
every OU. Domain-linked GPOs are useful but you do have to be explicitly aware
of what you're targeting. That's why I like using explicit security group
filtering rather than implicit blocking or enforcing. Its easier to troubleshoot
(esp. on Win2K without RSOP).
Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Friday, September 15, 2006 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU
It seems to me that a better solution is to only put the
password policy into the default domain GPO, and create a separate GPO for any
other settings to apply to the OUs.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Friday, September 15, 2006 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Block Inheritance on DC OU
So they didn't wanted many of those GPOs to be applied to domain controllers.
Above that, they have "block inheritance" enabled at various sub-OU levels.
So only thing we could come up with to achieve what we wanted was to.
1) Block policy at DC OU
2) Create Password Policy at Domain level and enforce it.
This helped for keeping a consistent password policy across all OUs and Domain.
And also "saving" DCs from domain level general purpose GPOs.
Long term, soln is to rethink the OU structure.
Kamlesh
On 9/13/06, Darren
Mar-Elia <[EMAIL PROTECTED]>
wrote:
Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful.Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BEN
Sent: Wednesday, September 13, 2006 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Block Inheritance on DC OUThe company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this).
Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation.
Thanks as always for your input,
~Ben
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Short-term actions X time = long-term accomplishments.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~