Block Inheritance :- As discussed in my previous post, that the Group Policy Settings are Cumulative in Nature... Effectively, all the policies (Local + Site + Domain + OU) will apply on the Machine/User
Is there a way to stop this... Yes... And the answer is "Block Inheritance".
Block Inheritance is applied at an OU level. When Block Inheritance is enabled, No policies which are applied above that OU level, will apply on that OU. So, the only policy that will get applied will be the one which are applied on that OU
So does it mean that the higher policies cannot be applied at all... Microsoft has an answer to this as well and that is "Enforced"
Group Policy Enforce :- Group Policy is Enforced at a Group Policy Object level. Once a GPO is Enforced, that GPO will get applied (depending upon the level at which that GPO is applied)
Suppose, I have a GPO A applied at a Domain Level and a GPO B applied a OU Level. Without "Block Inheritance" or "Enforce", Both the GPO`s (A and B) will apply on the OU. Once you enable "Block Inheritance" on the OU, only GPO B will get applied on the OU. But now if you enable "Enforced" on GPO A, then no matter if you have Block Inheritance on the OU or not, GPO A on which Enforced is enabled will apply on the OU along with GPO B....
Lets Prove the above Statement...
Here, We have a Group Policy at the Domain Level "Domain Level Group Policy to Hide Run" and another Group Policy at the OU Level "OU Level Group Policy to Show Run"
We are "Enforcing" the Domain Level Group Policy
Now running RSOP on the Machine, It shows that the Domain Level Group Policy is getting applied given the fact that there is a Group Policy at the OU Level (OU Level Group Policy to Show Run)
Now we will Enable "Block Inheritance" on the OU
Now, if "Enforced" was not Enabled, None of the Group Policies coming from above the OU would have applied on the OU. But since Enforce is applied on the Domain level Group Policy, the Domain Level Group Policy will still take Effect
As stated earlier, if "Enforced" was not Enabled, None of the Group Policies coming from above the OU would have applied on the OU. But since Enforce is applied on the Domain level Group Policy, the Domain Level Group Policy will still take Effect
One more Example...
Lets enable the Setting "Remove Document Icon from Start Menu" on the Domain Level Group Policy "Domain Level Group Policy to Hide Run" on which "Enforced" is Enabled
Running RSOP... Now both the settings from "Domain Level Group Policy to Hide Run" which is applied on the Domain Level and has Enforced Enabled are getting applied given the fact that the OU has Block Inheritance Set
I know... U are still not sure if the "Block Inheritance" is actually working... Lets test then...
This time, instead of the "Domain Level Group Policy to Hide Run" policy, we will make some change on the "Default Domain Policy". Both the policies are at the domain level, the only difference being that on the "Domain Level Group Policy to Hide Run" we have "Enforced" enabled where as on the Default Domain Level we do not have "Enforced" Enabled...
So technically speaking, the Settings on the Default Domain Level (Without Enforced) will not take Effect on the OU where "Block Inheritance" will be Enabled
In Default Domain Policy, We will Enable "Remove Network Connection from Start Menu"
RSOP....
Proved!!!... There are still only two settings that are getting applied from the "Domain Level Group Policy to Hide Run" which had "Enforced" Enabled... The settings from the Default Domain Policy didn't got Applied as it didn't had "Enforced" Enabled and the OU where this machine is placed has "Block Inheritance" Enabled...
Going into the Properties of User Configuration (RSOP)...
It clearly states that the Policies "Default Domain Policy" and "Site Level Group Policy to Show Run" didn't got applied (Got Filtered) and we now know the Reason...
Is there a way to stop this... Yes... And the answer is "Block Inheritance".
Block Inheritance is applied at an OU level. When Block Inheritance is enabled, No policies which are applied above that OU level, will apply on that OU. So, the only policy that will get applied will be the one which are applied on that OU
So does it mean that the higher policies cannot be applied at all... Microsoft has an answer to this as well and that is "Enforced"
Group Policy Enforce :- Group Policy is Enforced at a Group Policy Object level. Once a GPO is Enforced, that GPO will get applied (depending upon the level at which that GPO is applied)
Suppose, I have a GPO A applied at a Domain Level and a GPO B applied a OU Level. Without "Block Inheritance" or "Enforce", Both the GPO`s (A and B) will apply on the OU. Once you enable "Block Inheritance" on the OU, only GPO B will get applied on the OU. But now if you enable "Enforced" on GPO A, then no matter if you have Block Inheritance on the OU or not, GPO A on which Enforced is enabled will apply on the OU along with GPO B....
Lets Prove the above Statement...
Here, We have a Group Policy at the Domain Level "Domain Level Group Policy to Hide Run" and another Group Policy at the OU Level "OU Level Group Policy to Show Run"
We are "Enforcing" the Domain Level Group Policy
Now running RSOP on the Machine, It shows that the Domain Level Group Policy is getting applied given the fact that there is a Group Policy at the OU Level (OU Level Group Policy to Show Run)
Now we will Enable "Block Inheritance" on the OU
Now, if "Enforced" was not Enabled, None of the Group Policies coming from above the OU would have applied on the OU. But since Enforce is applied on the Domain level Group Policy, the Domain Level Group Policy will still take Effect
As stated earlier, if "Enforced" was not Enabled, None of the Group Policies coming from above the OU would have applied on the OU. But since Enforce is applied on the Domain level Group Policy, the Domain Level Group Policy will still take Effect
One more Example...
Lets enable the Setting "Remove Document Icon from Start Menu" on the Domain Level Group Policy "Domain Level Group Policy to Hide Run" on which "Enforced" is Enabled
Running RSOP... Now both the settings from "Domain Level Group Policy to Hide Run" which is applied on the Domain Level and has Enforced Enabled are getting applied given the fact that the OU has Block Inheritance Set
I know... U are still not sure if the "Block Inheritance" is actually working... Lets test then...
This time, instead of the "Domain Level Group Policy to Hide Run" policy, we will make some change on the "Default Domain Policy". Both the policies are at the domain level, the only difference being that on the "Domain Level Group Policy to Hide Run" we have "Enforced" enabled where as on the Default Domain Level we do not have "Enforced" Enabled...
So technically speaking, the Settings on the Default Domain Level (Without Enforced) will not take Effect on the OU where "Block Inheritance" will be Enabled
In Default Domain Policy, We will Enable "Remove Network Connection from Start Menu"
RSOP....
Proved!!!... There are still only two settings that are getting applied from the "Domain Level Group Policy to Hide Run" which had "Enforced" Enabled... The settings from the Default Domain Policy didn't got Applied as it didn't had "Enforced" Enabled and the OU where this machine is placed has "Block Inheritance" Enabled...
Going into the Properties of User Configuration (RSOP)...
It clearly states that the Policies "Default Domain Policy" and "Site Level Group Policy to Show Run" didn't got applied (Got Filtered) and we now know the Reason...
