Block GPO Inheritance

tiagom

Sounds like you probably need fine-grained password policies.

https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

DustinB3403

Is this GPO pulled from another group policy that the OU is a part of?

Brains

What method did you use to block the OU?

nadnerB

Did you make it a Computer or User policy?
Even though you have blocked the inheritance on an OU, it might be applied elsewhere and still get through.

If it's a Computer policy and you are blocking the inheritance on the User OU, you might find that the policy is also applied on the Computer OU and hence why it is still active.

nadnerB

Where have you applied it to? Domain level or lower?

alex.olynyk

@Brains Open group policy management
Right click OU
Enable block inheritance

alex.olynyk

@nadnerB applied at the OU

alex.olynyk

is there a way to set password policies in a GPO's user configuration?
I only see them in computer configuration

alex.olynyk

or should I create a GPO for just the password policies?

alex.olynyk

some background...we have ricoh scanners and these scanners do not accept a special character in the password field. our company policy requires a special character in the password so we need to exclude the accounts used for the ricoh scanners

alex.olynyk

i applied at the domain level now

IRJ

Filter using by OU using WMI. In your case, you would deny the specific WMI filter for that OU.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/efa8d1f8-1ef9-47b6-8a1b-ea633a5c213a/seacrhing-computers-ou-or-dn-in-wmi-filter?forum=winserverGP

IRJ

This might be a little easier....

www.grouppolicy.biz/2010/02/how-to-find-and-use-wmi-values-for-group-policy-filtering/

Brains

@IRJ said in Block GPO Inheritance:

Filter using by OU using WMI. In your case, you would deny the specific WMI filter for that OU.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/efa8d1f8-1ef9-47b6-8a1b-ea633a5c213a/seacrhing-computers-ou-or-dn-in-wmi-filter?forum=winserverGP

This is the way I would do it if there isnt a SG you can filter by

Brains

@alex.olynyk said in Block GPO Inheritance:

is there a way to set password policies in a GPO's user configuration?
I only see them in computer configuration

They are located in computer configuration, why do you want to set them as user config?

DustinB3403

@alex.olynyk said in Block GPO Inheritance:

or should I create a GPO for just the password policies?

Discrete policies are best

Brains

@IRJ said in Block GPO Inheritance:

This might be a little easier....

www.grouppolicy.biz/2010/02/how-to-find-and-use-wmi-values-for-group-policy-filtering/

great reference site for a whole host of questions!

chrisnbrooks

@Brains Agree. I much rather manage SG memberships for GPO, than OU placement. Less clutter, less margin of error, easier access and oversight. I also understand that people often inherit their AD schema from predecessors and can't afford the time and risk for a complete redesign.

alex.olynyk

@chrisnbrooks What is SG?

alex.olynyk

security group