Announcement

Collapse
No announcement yet.

Prevent use of "Block Inheritance" under GPMC?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Prevent use of "Block Inheritance" under GPMC?

    Dear All,

    I'm facing a problem with delegation on OU for GPOs that I'm not able to resolve alone.
    I have a domain that contains around 10 children domains.

    The Domain functional level is 2000 native.
    The Forest functional level is Windows 2000.

    The forest is administrate by one dedicated team but each child domain can be administrate by a local team.

    The main team must be able to administrate whatever they want and that is already ok.

    The local team can manage on their dedicated OU:
    - Users
    - Groups
    - Nested OU

    - GPOs

    For GPOs, the local team can do on its dedicated OU:
    - Create/Modify GPO
    - Add/Remove Link

    They must not be able to Block GPO Inheritance!
    Why?
    because we don't want local team to bypass some policies such as the Password Policy or others GPO settings.

    After some search I found a really interesting subject:
    windowsecurity.com/articles/Controlling-Block-GPO-Inheritance-via-Delegation

    [I have not already 5 posts so I can't post an URL.]

    But when I apply the specifics permissions, the "Block Inheritance" option still available and usable.

    Have someone already test it successfully?

    Sorry for my poor English, I hope that you will understand my request

    Best regards.

  • #2
    Re: Prevent use of "Block Inheritance" under GPMC?

    can't you enforce the critical GPOs -- this will beat a block automatically
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Prevent use of "Block Inheritance" under GPMC?

      Ossian,

      Thank you for your answer.

      If I enforce the GPO at a top hierarchical level of my AD, it will be possible for persons that have delegation on low level OUs to activate the "Block Inheritance" option via GPMC.

      So, even if I have enforce my gpo, it will be blocked.

      The idea is to allow the creation of GPO link but not the possibility to enforce it.
      On technet I have found that the gPOptions property contains the Block Policy Inheritance setting.

      I also read that to manage GPO links to a site, domain, or OU, you must have read and write access to the gPLink and gPOptions properties.

      So what I want to do is simply impossible...
      technet.microsoft.com/de-de/library/cc784268%28v=ws.10%29.aspx

      Comment


      • #4
        Re: Prevent use of "Block Inheritance" under GPMC?

        They can "block", which will stop non-enforced GPOs, but anything enforced will go through the block like a neutrino through lead
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Prevent use of "Block Inheritance" under GPMC?

          Hi Again Ossian,

          I have checked and you are right!

          An enforced GPO cannot be blocked even if you have blocked the inheritance on nested OU.

          This notion was not clear, but now it is

          Thanks for your help!

          Comment

          Working...
          X