none
Block Inheritance not working

    Question

  • Hi There,

    For some reason, Block Inheritance is not working on OU.

    Details:

    I have a OU called "Sydney" where I have applied a Proxy setting policy, this mean, this policy will apply to all OU under "Sydney" OU. Now, I have another OU called "IT Test" which I have blocked from inheriting any policy which is applied to "Sydney" OU. Now, I am modifying the policy which is applied to "Sydney" OU and trying to apply that modified policy to "IT Test" OU only but for some reason, main Policy which is applied to "Sydney" OU is kept applying to "IT Test" OU. Not sure why. I have Blocked Inheritance on "IT Test" OU but still it doesn't make any difference and doesn't want to apply the policy which I have applied to "IT Test" OU only.

    Older policy is applied through Registry and new modified policy is also applied through making change to registry files (Just some details are changed) but still I can see old policy is being applied. I am trying this on Windows Server 2012 R2.

    Could I please have some assistance?

    Below are images:

    No Policy applied on Computer Level:No policy applied at Computer level

    Still below gpresult /r shows policy applied on Computer Level:

    Also, below image shows, policy is configured on User Level

    But below image shows Proxy Setting policy has been applied but this policy is blocked from inheriting to IT Test OU:

    Below image shows, intended OU is Blocked from inheritating Policies, still it for some bizarre reason, inheritances top level policies:

     

    Many thanks





    Tuesday, June 28, 2016 6:41 AM

Answers

  • > *But below image shows Proxy Setting policy has been applied but this
    > policy is blocked from inheriting to IT Test OU:*
     
    Seems the user is NOT in your "IT Test OU" - at least that's what I can
    see in the User RSoP Screenshot...
     
    Tuesday, June 28, 2016 9:38 AM
  • > Now, *Information Technology* OU (Where KPTest user account is sitting)
    > is inheriting *Proxy Setting *GPO which is applied to *Sydney *(Top) OU
    > but *IT Test* OU (Where computer *GPO Test Machine* is sitting)  is
    > blocked from Inheriting *Proxy Setting* GPO.
     Computers do not look in user GPOs. Users do not look in computer GPOs.
     
    If you apply a user GPO, but block inheritance for the computer OU -
    what outcome do you expect? Correct - nothing :)
     
    Wednesday, June 29, 2016 11:37 AM

All replies

  • did you reboot the client machine, so that it can re-process GP?

    check the inheritance tab of the OU in question - is the "Proxy Settings" GPO listed as inherited?

    And, although it does not show as Enforced in your screenshot, check if the "Proxy Settings" GPO is Enforced=True:

    https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/

    check the client machine event logs to see if GP is processing correctly without errors..


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, June 28, 2016 7:21 AM
  • > *But below image shows Proxy Setting policy has been applied but this
    > policy is blocked from inheriting to IT Test OU:*
     
    Seems the user is NOT in your "IT Test OU" - at least that's what I can
    see in the User RSoP Screenshot...
     
    Tuesday, June 28, 2016 9:38 AM
  • Hello Martin,

    Thanks for replying.

    Yes, User isn't in the IT Test OU. The OU, in which the user account I logged in with is sitting, is inheriting "Proxy Setting" GPO which is applied to "Sydney" OU (Top OU). And the computer I am logging on is in IT Test OU and this OU is blocked from inheriting GPO from Sydney OU. So I assume, policy is applied to computer from the OU in which user account is sitting but not from OU where computer is sitting. So Seems 2 policies are being applied, one "Proxy Setting" GPO is being applied on the OU where user account is sitting and second "IT Test Proxy Setting" GPO is being applied on the OU where computer is sitting. So it seems "Proxy Setting" GPO is over riding "IT Test Proxy Setting" GPO. Has it been always there?

    I am trying to find a work around if it is possible. Current Settings are as under:

    1. Computer Name: GPO Test Machine which is in IT Test OU
    2. User name: KPTest which is Information Technology OU
    3. GPO: Proxy Setting is applied to Sydney OU (The Top OU)
    4. IT Test OU is blocked from inheriting policy from Sydney OU and IT Test OU has IT Test Proxy Setting policy configured to be applied to computers within this OU

    Now, Information Technology OU (Where KPTest user account is sitting) is inheriting Proxy Setting GPO which is applied to Sydney (Top) OU but IT Test OU (Where computer GPO Test Machine is sitting)  is blocked from Inheriting Proxy Setting GPO. IT Test OU has IT Test Proxy Setting GPO applied. Now, I am logging onto GPO Test Machine with KPTest user account and would like to apply IT Test Proxy Setting GPO only. Is there any way to apply that policy without moving KPTest user account to IT Test OU? If I move user account into IT Test OU, it works perfectly fine but as soon as I move KPTest user account back to Information Technology OU, top policy which is applied to Sydney OU applies again.

    Hope, I was clear enough but please let me know should you need more information.

    Many thanks


    Wednesday, June 29, 2016 12:12 AM
  • Hi DonPick,

    Thanks for reply, you post definitely helped me to enhance my knowledge on GPO.

    Many thanks once again but if you could look into my reply to Martin (above) and give me some of your inputs would be much appreciated.

    Many thanks


    Wednesday, June 29, 2016 12:14 AM
  • Hi Kalpesh,

    Thanks for your post.

    To clarify, you configure proxy setting with registry under user configuration in Proxy Setting GPO which is applied to Sydney. And Information Technology OU did not block inherited from Sydney.

    If yes, what you have descripted is an expected behavior.

    Because the Proxy Setting GPO will apply when you use an account, which is member of Information Technology OU, to logon the computer which is member of IT Test OU.

    Blocking a user configuration, you should block inherited on an user OU.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 29, 2016 6:42 AM
    Moderator
  • > Now, *Information Technology* OU (Where KPTest user account is sitting)
    > is inheriting *Proxy Setting *GPO which is applied to *Sydney *(Top) OU
    > but *IT Test* OU (Where computer *GPO Test Machine* is sitting)  is
    > blocked from Inheriting *Proxy Setting* GPO.
     Computers do not look in user GPOs. Users do not look in computer GPOs.
     
    If you apply a user GPO, but block inheritance for the computer OU -
    what outcome do you expect? Correct - nothing :)
     
    Wednesday, June 29, 2016 11:37 AM
  • Thanks Martin,

    So this means, whatever policy applied to Top OU actually supersedes policy applied within blocked OU.

    Thanks

    Wednesday, June 29, 2016 11:14 PM
  • > So this means, whatever policy applied to Top OU actually supersedes
    > policy applied within blocked OU.
     
    No.
     
     
    Thursday, June 30, 2016 7:26 AM