Announcement

Collapse
No announcement yet.

exclude gpo without block inheritance question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • exclude gpo without block inheritance question

    Is there a way to exclude 2 current GPOs from applying to OU 1602000 only with current OUs structure or the only way is to create
    NEW OU under OU Sites, move OUs from 1602001 to 1602014 to NEW OU and link 2 existing GPOs to NEW OU?
    Ideally, I would like to not create an additional OU and just not apply 2 existing GPOs to 1602000 (others would be apply later to OU Sites and will be needed by all sub OUs.

    Please see the pic (the text of the message appears on pic)
    Attached Files
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    Re: exclude gpo without block inheritance question

    Several ways to handle this...

    1. If the 2 GPOs are linked to the Sites OU, then you could unlink it from there and link it to each sub-OU execpt 160200.

    2. Just block inheritance on 160200, then link all of the GPOs that you need directly on that OU.

    3. Move all OUs except for 160200 to New OU under sites and link the two GPOs there.

    I would go with #1 if the GPOs are linked to sites OU. I would go with #2 if the two GPOs are much higher in the structure and the GPOs are needed for other OUs in the logical structure.

    I do not tend to like option 3 because it doesn't look nice. I am very picky about the AD structure. Based on my particular issue with structure, if I had to go with three, I would probably create two OUs under Sites based on different GPO policies. This is because today you have this requirement with 160200, but tomorrow you may have other subsites that require the same treatment as 160200.
    JM @ IT Training & Consulting
    http://www.itgeared.com

    Comment


    • #3
      Re: exclude gpo without block inheritance question

      JM,
      I guess you answered to one of my questions some time ago and I appreciated detailed explanation.
      Don't want to give just a compliment, but I think beside the knowledge you have god's given talent to explain...
      OK. back to my question
      So, if I understood correctly your suggestion (will be #4)
      is to create under Sites OU, 2 OUs. Let say OU=Internal and OU=External.
      Then to place 160200 in Internal and all others to External.
      This way I can link "personal" GPOs for 160200 and for others. But common GPOs for both link to Sites. I think it is ideal.
      Basically my first scenario was to create just one sub OU for others beside 160200. The result would be the same. But having 2 will be more comprehensive.
      Did I understand your "#4" correctly?

      THX.
      "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

      Comment


      • #4
        Re: exclude gpo without block inheritance question

        Correct on #4, and thanks for the nice compliment.
        JM @ IT Training & Consulting
        http://www.itgeared.com

        Comment

        Working...
        X