locked
Blocking Default Domain policy RRS feed

  • Question

  • Hi,

    If I enable Block inheritance in OU level,Does Default domain policy settings will fully block or partially blocked ?

    what type of settings are allowed for blocking and what type of settings not allowed for blocking.

    Example: Account lockout,password policy can not be blocked.

    Even though block inheritance is enabled account lockout and password policy are excepmted from blocking.

    Sunday, May 3, 2020 10:07 AM

Answers

  • Hello,

    Thank you for posting in our TechNet forum.


    According to your description, I agree with you. 

    As I know:
    If you select the Block Policy inheritance option at the domain level, when computers in this domain apply group policy, they won't apply any site-linked GPOs.
    If you select the Block Policy inheritance option on an OU, computers in this OU won't apply site-linked GPOs, domain-linked GPOs, or GPOs linked to higher-level OUs.

    However, account and password policy are specially. And we don't suggest that blocking default domain policy. Cause default domain policyshould only be used for account policies settings, password policy, account lockout policy and Kerberos policy.
    Any other settings should be put into a separate GPO. The Default Domain Policy is set at the domain level so all users and computers get this policy.

    The following link can be for your reference.

    Managing inheritance of Group Policy:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc757050(v=ws.10)?redirectedfrom=MSDN

    Group Policy Best Practices:https://activedirectorypro.com/group-policy-best-practices/

    Jolin

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by mcsebala Tuesday, May 5, 2020 4:24 PM
    Monday, May 4, 2020 3:32 AM

All replies

  • It will be blocked in the context of the objects within that OU.

    For example, account policies for local accounts of the computers in that OU will apply based on the OU-level GPO.

    However, domain users who log on to those computers will still be a subject of the Default Domain policy, since they accounts are defined outside of the OU (on domain controllers)

    hth
    Marcin

    Sunday, May 3, 2020 11:28 AM
  • Hello,

    Thank you for posting in our TechNet forum.


    According to your description, I agree with you. 

    As I know:
    If you select the Block Policy inheritance option at the domain level, when computers in this domain apply group policy, they won't apply any site-linked GPOs.
    If you select the Block Policy inheritance option on an OU, computers in this OU won't apply site-linked GPOs, domain-linked GPOs, or GPOs linked to higher-level OUs.

    However, account and password policy are specially. And we don't suggest that blocking default domain policy. Cause default domain policyshould only be used for account policies settings, password policy, account lockout policy and Kerberos policy.
    Any other settings should be put into a separate GPO. The Default Domain Policy is set at the domain level so all users and computers get this policy.

    The following link can be for your reference.

    Managing inheritance of Group Policy:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc757050(v=ws.10)?redirectedfrom=MSDN

    Group Policy Best Practices:https://activedirectorypro.com/group-policy-best-practices/

    Jolin

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by mcsebala Tuesday, May 5, 2020 4:24 PM
    Monday, May 4, 2020 3:32 AM