Block GPO Inheritance
-
Dont know what I am doing wrong Trying to exempt a specific OU from my password policies. I have BLOCKED the OU but It still requires the password policy. What am I missing?
-
Sounds like you probably need fine-grained password policies.
https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
-
Is this GPO pulled from another group policy that the OU is a part of?
-
What method did you use to block the OU?
-
Did you make it a Computer or User policy?
Even though you have blocked the inheritance on an OU, it might be applied elsewhere and still get through.If it's a Computer policy and you are blocking the inheritance on the User OU, you might find that the policy is also applied on the Computer OU and hence why it is still active.
-
Where have you applied it to? Domain level or lower?
-
@Brains Open group policy management
Right click OU
Enable block inheritance
-
@nadnerB applied at the OU
-
is there a way to set password policies in a GPO's user configuration?
I only see them in computer configuration
-
or should I create a GPO for just the password policies?
-
some background...we have ricoh scanners and these scanners do not accept a special character in the password field. our company policy requires a special character in the password so we need to exclude the accounts used for the ricoh scanners
-
i applied at the domain level now
-
Filter using by OU using WMI. In your case, you would deny the specific WMI filter for that OU.
-
This might be a little easier....
www.grouppolicy.biz/2010/02/how-to-find-and-use-wmi-values-for-group-policy-filtering/
-
@IRJ said in Block GPO Inheritance:
Filter using by OU using WMI. In your case, you would deny the specific WMI filter for that OU.
This is the way I would do it if there isnt a SG you can filter by
-
@alex.olynyk said in Block GPO Inheritance:
is there a way to set password policies in a GPO's user configuration?
I only see them in computer configurationThey are located in computer configuration, why do you want to set them as user config?
-
@alex.olynyk said in Block GPO Inheritance:
or should I create a GPO for just the password policies?
Discrete policies are best
-
@IRJ said in Block GPO Inheritance:
This might be a little easier....
www.grouppolicy.biz/2010/02/how-to-find-and-use-wmi-values-for-group-policy-filtering/
great reference site for a whole host of questions!
-
@Brains Agree. I much rather manage SG memberships for GPO, than OU placement. Less clutter, less margin of error, easier access and oversight. I also understand that people often inherit their AD schema from predecessors and can't afford the time and risk for a complete redesign.
-
@chrisnbrooks What is SG?
-
security group
