none
Blocking a group policy from specific OUs, or maybe something entirely different?

    Question

  • I have a group policy in User Configuration  that runs a script at logon. The script looks for a registry key. If it finds the key the script ends. If the key is not present the script makes a bunch of security setting changes,  creates the key, and reboots the computer.  Our active directory looks something like this:

    Main Company OU
    |    |
    |    |
    |     ----Department 1 OU
    |    |
    |    |
    |     ----Department 2 OU
    |    |
    |    |
    |     ----Department 3 OU
    |    |
    |    |
    |     ----Department 4 OU
    |
    |
     Servers OU
    |
    |
    Domain Controllers OU
    |
    |
    | . . .

    I want to apply the GP at the Main Company OU and its child OUs but block it from everything else. Either that or find some completely different way to accomplish the same thing.

    Any Ideas?

    Wednesday, January 27, 2016 5:33 PM

Answers

  • > I want to apply the GP at the Main Company OU and its child OUs but
    > block it from everything else. Either that or find some completely
    > different way to accomplish the same thing.
     
    Easiest would be to create a new OU similar to the department OUs and
    move all objects from main company to that new OU. Then simply link your
    GPO twice.
     
    Other solution: Block inheritance on Servers - but blocking inheritance
    is always a bad idea :)
     
     
    Wednesday, January 27, 2016 5:56 PM

All replies

  • > I want to apply the GP at the Main Company OU and its child OUs but
    > block it from everything else. Either that or find some completely
    > different way to accomplish the same thing.
     
    Easiest would be to create a new OU similar to the department OUs and
    move all objects from main company to that new OU. Then simply link your
    GPO twice.
     
    Other solution: Block inheritance on Servers - but blocking inheritance
    is always a bad idea :)
     
     
    Wednesday, January 27, 2016 5:56 PM
  • Hi,
    Agree with Martin that rearranging a new OU is much more achievable.
    Besides, regarding blocking inheritance on Servers, you could refer to link as below:
    https://technet.microsoft.com/en-us/library/cc731076.aspx

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 28, 2016 2:24 AM
    Moderator
  • As I can understand that "Main Company OU" is one OU you have created under domain level. If you want to apply the GPO only to this OU and 4 sob OU under this the  just link the GPO into this OU. So the sub OU will automatically get the policy. All other OU exists into your Domain level like your "Main Company OU" will not get the policy. You don't need to create any other OU for this.

    The GPO mainly apply into below order :-

    1. At first it apply Domain Level policy. That means If your Domain is test.com and if you apply any policy into that level it will apply at first. By default one policy create and apply during your domain creation. It is "Default Domain Policy"

    2. After that any OU level policy will apply.

    3. After that if SUB OU level policy will apply.

    So into your present scenario as I have mentioned you don't need to create any extra OU to achieve your goal, because already you have created one OU and after that 4 sub OU for different department. So if you apply the policy into parent OU only this OU and all SUB OU under this will get the policy not any other OU.

    ------------------------------------------------------------------------

    Please remember to mark the replies as answers if that help .

      

    • Proposed as answer by Prips Thursday, January 28, 2016 6:05 AM
    Thursday, January 28, 2016 6:04 AM
  • Hi,
    I am checking if you issue is solved or not. Are the replies helpful to you?
    If you have any questions, please let us know.
    Appreciate your update.
    Best regards,

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 02, 2016 6:14 AM
    Moderator
  • Hi,
    Thanks for posting in Microsoft TechNet forums.
    As no further update regarding this issue for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You could also choose to unmark the answer as you wish.

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 05, 2016 7:30 AM
    Moderator