Announcement

Collapse
No announcement yet.

Block Inheritance Not Working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Block Inheritance Not Working

    Hi all,

    I have recently taken over a Windows 2003 AD Domain and I am trying to sort out the Group Policies. Admittedly they were used sparingly but I am a little confused over one issue.

    We have a Default Domain policy (DDP) which has the Password length, duration etc settings set. However a few OU's are set to Block Inheritance yet these settings still seem to apply. I have looked at the 'Group Policy Inheritance' tab for each of these OU's with the blocking set and the DDP is not listed. There are no other policies on these OU's that deal with passwords and the DDP is not enforced.

    However users in these OU's are still being asked to chage their passwords every x amount of days.

    Before you ask 'why do you want to block the DDP' I do not and will fix this but I am wondering why the policy seems to be applying to the blocked OU's.

    Thanks

    Jim

  • #2
    Re: Block Inheritance Not Working

    The reason is the password policy doesn't apply directly to the users but rather the domain itself. So you can only have one Domain Password Policy for the entire domain unless you are using fine-grain password policies (need to be running a Windows 2008 or newer AD and are in 2008 domain functional level or higher).

    http://technet.microsoft.com/en-us/l...(v=ws.10).aspx
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Block Inheritance Not Working

      Excellent, I knew it was something quite simple! Does this apply to all settings within the Default Domain policy or just certain ones?

      Comment


      • #4
        Re: Block Inheritance Not Working

        As far as I know, only the password policy works this way.

        Unlike most of the other settings, the password policy will affect the user database (which is Active Directory in the case of domain users). The other setting apply to configurations, properties, rights, permissions, etc that are on or controlled by the computer they logon to.

        I should note that the Password Policy settings will apply in the normal inheritance way to the local SAM db on the member computers. So if you were to create a user on the local workstation, the winning GPO that has some password policies configured would be in effect for the local users (not Active Directory users)

        Hopefully that doesn't confuse you. Bottom line, one password policy per domain because you can only have one apply to Active Directory.*

        * - fine-grained password policies allow multiple password policies for different groups of users as I pointed out in my first post.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Block Inheritance Not Working

          All very clear thanks JeremyW. I have dealt with group policies a fair amount but never seen fit to block inheritance (although I can see its usefulness perhaps in some situations) hence why I was slightly confused.

          Unsure why it is set us as it is (had no hand over and no documentation) but they have very few policies so will likely redo them all anyway!

          Many Thanks for your help

          Jim

          Comment


          • #6
            Re: Block Inheritance Not Working

            Glad to help.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment

            Working...
            X