Block Policy Inheritance does not work

  • Thread starter Thread starter Brian Nielsen
  • Start date Start date
B

Brian Nielsen

Hi,

I have a W2K domain with some policies. In the domain I have several OUs
which should have the policies. But one OU - in where my admins are - should
not have the policies. Therefore I have set the "Block Policy Inheritance"
flag on that OU. But it is not working. Somehow when the administrator logs
on any machine (server, workstation...) he gets all the policies. Why???

I have checked if i have the "no override" option set somewhere - but no.

Do you have any ideas?

Best Regards.

Brian
 
One thought is that block inheritance will not block domain password policy
but should block "user configuration" settings in Group Policy. Try running
the preset tool while logged onto a computer as one of those administrators
to see what it reports. If you have a secured XP Pro computer in the domain,
install the GPMC on it which can be helpful when troubleshooting Group
Policy problems. You will have to logon to the XP Pro computer as a domain
admin to manage Group Policy for the domain from it. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx -- GPMC.
 
Hi,

It is not domain password policy that I am trying to block (I know you
cannot do that), but SUS server policies, proxy policies and so on. I have
already installed GPMC on a XP machine, but the only thing I can se is that
several policies is applied and none is blocked - at least not because og
block policy inheritance.

I have tried to create a new OU with block policy inheritance, but this is
also not working.

I'm not sure when this behaviour started, but after I have changed some
policies it began, but I don't now what and where :-(

I hope you can help.

Best Regards

Brian
 
Make sure the policies you are trying to block are "user configuration". At
least some of what you describe is computer configuration I believe. You can
not block "computer configuration" policy on a per user basis. If it is
indeed user configuration, another thing to try is to configure the GPO with
deny permissions for "apply" in the security properties for the group you
want to not have the policy apply to. See the link below on filtering of
Group Policy. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;322176 --- see
"how to filter scope".
 
Alright - I will try this. Within ½ a year I will migrate the system to 2003
AD. Then it will probably start working again with the block policy setting.
At least I hope :-)

Thank you for your help.

-Brian
 
I'm trying something similar. I'd like the W2K DC and admin XPPro PC to not
inherit Defauly Domain Policy. Tried 'Block Policy Inheritance' at their OUs
- didnt work; still have Default policy. Tried creating a GPO with No
Override for their OUs - didnt work; still have Default policy. For the DC,
also tried editing Default DC Policy, still didnt work. Also went into
Security tab of Default Domain Policy, added the DC and XP box, and set their
Apply Group Policy to Deny. (Been force-refreshing DC and PC with each
trial.) Still nothing!!
 
eventually just said "screw it" and removed Default policy settings that
bugged me, created a new OU containing all other PCs (excluding DC and my XP
PC), and created a GPO for that OU with the settings i needed...
 
Back
Top