Re: Block inheritance ?
- From: "Ken Aldrich" <supportw@xxxxxxxxxxxxxxx>
- Date: Fri, 20 Jun 2008 16:05:03 -0500
You could try to block inheritance at the Department OU as you did, but then
set the Default Domain Policy to "Override" or "Enforce" (the name depends
on the version of Active Directory you are running). That will override any
place where inheritance has been broken. This might be one approach to
consider.
You could also consider using a group to control permissions to the group
policy.
Create a group in Active Directory. Add the computer objects in the
Computers OU to this new group. Do not add any of the computer objects from
your Department OUs.
Now go to the security tab of the GPO. Add your new group in the Access
Control List and set the "Apply Group Policy" permission for the group.
You'll want uncheck the "Apply Group Policy" for any objects outside of the
Computers OU.
I made a screenshot for you:
http://img295.imageshack.us/img295/3746/18369284mo3.jpg
I hope this helps.
--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com
"Mark Bohlsen" <mbohlsen@xxxxxxxx> wrote in message
news:AAE4EB5A-61E7-4155-839D-0D852AFD3FEB@xxxxxxxxxxxxxxxx
Is there a way to block inheritance of a specific group policy at the OU
level? It appears to me that if one chooses to block inheritance of a GP
at an OU level it also blocks the default domain policy. My situation is
the following:
Computers OU---default OU policy and WSUS policy applied at this level
------>Dept OU --inherits both GP's. I want to block the WSUS policy at
this level because we are slowly migrating to another patch management
solution.
Any help would be much appreciated.
.
- References:
- Block inheritance ?
- From: Mark Bohlsen
- Block inheritance ?
- Prev by Date: Re: Redeploying Software
- Next by Date: Re: Logon script - use batch or VBS script?
- Previous by thread: Re: Block inheritance ?
- Next by thread: Problem with Outlook 2007
- Index(es):
Relevant Pages
|
