Blocking Inheritance

[Janette Martin]

I have one domain policy, on the domain. I wish to block
inheritance of it to the IT dept. I checked the block
inheritance on the IT OU, which contains all the IT
members and IT PC's. But, the policy is not being blocked.
Using gpresult, I can see I still am having it applied.
Any ideas?

TIA,
Janette

 

[Tim Springston \(MSFT\)]

Hi Janette-

XP may cache group policy processing info at time, though it should notice a
change such as a new block policy inheritance bit.

To see if that is a factor, and get a closer look at the processing, I would
suggest enabling USERENV logging on the client machine, then logon and
logoff to fill it up with info.

Here's the article on how to enable that logging:

221833 How to Enable User Environment Debug Logging in Retail Builds of
Windows
http://support.microsoft.com/?id=221833

To reach the relevant portions of the USERENV.LOG quickly you can search on
username, then search for ApplyGroupPolicy.

Please repost with what you find or if we can help.

 

[Janette Martin]

It took a little digging, but I guess since the settings I
was trying to block are Account Policies, which a friend
told me - are not excludable. That's ok. I was trying to
exclude the officers from changing passwords. I prefer
they do change their passwords. I am happy with this
result. (Behavior by design.)

Thanks~