Question

Blocking inheritance in GPOs in Windows Server 2008

Answer 1

INTRODUCTION

A group policy object "Group Policy Object" is a set of one or more system policies. Each of the system's policies establishes a configuration of the object it affects. For example, I pass some possible:

• Set the title of the Internet browser
• Hide the control panel
• Disable the use of REGEDIT.EXE and REGEDT32.EXE
• Establish which MSI packages can be installed on a computer

We also have the trunk types of directives, which we can define two categories of trunk types of directives:

• Hay dos tipos troncales de directivas según su función: According to its function: There are two types of directives according to their function:

• Security policies : How many characters does a password have? How often should this be changed? They can be applied:
  
• At the domain level: They are applied to all machines in the domain.
  
• At the level of domain controllers: They apply only to domain controllers, but without supplanting those of the domain (in case of contradicting each other, the domain control is applied, not domain controllers).

• ¿Quién tiene acceso al panel de control? Environment Policy (Group Policy Object): Who has access to the control panel? What is the maximum size of the system log file? They can be applied:

• At the local team level
  
• At the site level
  
• At the domain level
  
• At the level of Organizational Unit (OU -> Organizational Unit).

Inheritance Block

• Now that we have a brief introduction to GPOs, we will move to the inheritance block of a GPO.
• It may be the case that we need, for whatever reason, that group policies are not applied in any location, say an "OU" .
• By blocking the inheritance of group policies, we obtain from that location that none of the GPOs that apply at higher levels are applied.
• In this example what we intend is to block the inheritance from the OU "USERS" and for that, we select said OU , we press in right button and we select "BLOCK INHERITANCE".

• We see that now an exclamation point appears next to the "USERS" Organizational Unit to indicate that the inheritance is " BLOCKED".
• If we press right button on the OU in question, we observe that it has the mark indicating that the inheritance block is activated.
• Remember that right now, if we did not have any GPO linked to this GPO, as is the case, none of the policies that we have defined are applied to it.

The inheritance block is a tool with which we must work with care. It is very useful in the case of testing new GPOs. We can block the inheritance in an "OU" , link the GPO we want to test and thus see the results in a cleaner way, without interference from any other GPO.

---