pharaoh fortune slot
ExamNotes.net
Welcome, Guest. Please login or register.
November 24, 2017, 05:12:34 AM

Login with username, password and session length
* Home Help Search Login Register
+  ExamNotes.net
|-+  Microsoft (MCSE, MCSD, MOUS, MCAD)
| |-+  MCSE elective exams
| | |-+  70-219
| | | |-+  "Block Policy Inheritance"
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Print
Author Topic: "Block Policy Inheritance"  (Read 1255 times)
Tech Ranger
On A Mission
Hero Member
*****
Offline Offline

Posts: 5309

2


View Profile
« on: February 24, 2002, 04:24:28 PM »

I am going bonkers trying to understand the hierarchy of how GPO's are applied.  "Do not override" makes sense because without it an OU GPO could take precedence over a policy set at the domain level.  The domain admin can thereby protect his GPO.  BUT, when would you ever have to use "Block policy inheritance"?  If I'm doing a GPO at the OU level, my policy overrides anything from above without any blocking.  I am begging someone to give me an example where "Block Policy Inheritance" is NECCESSARY.  Thank you!!!
Logged

The Computer is a creation of man.  Man is a creation of God! -  
Joe from Brooklyn
wbafrank
Moderator
Global Moderator
Hero Member
*****
Offline Offline

Posts: 3787

0


View Profile
« Reply #1 on: February 24, 2002, 05:21:10 PM »

Cheesy explain what you are after:

http://www.swynk.com/friends/stecker/group_policy_strategy.asp
Logged

One Exam leads to another!  Where will it ever end?
lenee
Member
Jr. Member
**
Offline Offline

Posts: 69

0


View Profile
« Reply #2 on: February 24, 2002, 05:40:29 PM »

Lets say your applying a group policy on the domain level
lets say domain.com
within that domain you have many organizational units(OU).Lets say OU1,OU2,OU3.
Now you want the group policy to apply to only OU1 and OU2 but not to OU3..
How are you going to able to accomplish that???
Block policy inheritance!!
If you had applied No overide on the domain level then no overide takes precedence and block policy inheritance is overidden.
Another scenario in human terms..
Lets say you lock yourself in your room along with ur elder brother(GPO OU).Then You escape the rules from ur parents(GPO domain) but ur still stuck with ur elder brothers rules right.Block policy here is your bedroom door.However if ur parents apply the no overide(breaking down the door)..you still have to listen to their rules.
hope it helps...
Logged
freak
Moderator
Hero Member
*****
Offline Offline

Posts: 9021

2


View Profile WWW
« Reply #3 on: February 24, 2002, 06:26:34 PM »

Quote
Originally posted by lenee
Lets say your applying a group policy on the domain level
lets say domain.com
within that domain you have many organizational units(OU).Lets say OU1,OU2,OU3.
Now you want the group policy to apply to only OU1 and OU2 but not to OU3..
How are you going to able to accomplish that???
Block policy inheritance!!
If you had applied No overide on the domain level then no overide takes precedence and block policy inheritance is overidden.
Another scenario in human terms..
Lets say you lock yourself in your room along with ur elder brother(GPO OU).Then You escape the rules from ur parents(GPO domain) but ur still stuck with ur elder brothers rules right.Block policy here is your bedroom door.However if ur parents apply the no overide(breaking down the door)..you still have to listen to their rules.
hope it helps...


great post. THanks Smiley
Logged

Freak, MA, M.Ed., Net+,I-Net+, Security+, CEH, CEI, CCA, CCNA, MCP+I, MCSA, MCSE NT, MCSE 2K, MCT

iCertify dot net
: Free Forum, quizzes, study guides...

FreakNotes.com: free subnetting, DHCP, Network Security study guides! Also 120-page Security+ book and 100+ page Network+ book!

InfoSecWeb.com
Tech Ranger
On A Mission
Hero Member
*****
Offline Offline

Posts: 5309

2


View Profile
« Reply #4 on: February 25, 2002, 03:49:38 PM »

Thanks a million for your responses.  I understand what you guys are saying, but what I don't understand is that if OU level policy takes precedence over domain level Group Policy, then can't I simply set whatever policies I want at the OU level and they will stick as long as there is no NO OVERRIDE set from above.  For example: Domain says WS1 gets blue wallpaper.  Sales OU (in which WS1 is located) says WS1 gets white wallpaper.  Isn't it true that WITHOUT a block inheritance, the OU policy takes effect and WS1 will get white wallpaper.  If this is so, why not just set whatever OU level policies you want, and forget about blocking inheritance?
Logged

The Computer is a creation of man.  Man is a creation of God! -  
Joe from Brooklyn
lenee
Member
Jr. Member
**
Offline Offline

Posts: 69

0


View Profile
« Reply #5 on: February 26, 2002, 03:41:20 PM »

as we know group policy is applied site -> domain -> OU
well in your case scenario as you said why select block policy inheritance in OU when it is eventually going to take teh precedence.You absolutely right!! But remember group policy is not all about only setting one policy like wallpaper. You have a whole list to choose from Smiley .Lets take your example for a spin again but with a little extra on it..
You have a GPO at the domain level defining blue wallpaper and allowing shutdown of the system. You have a GPO on the OU defining only white wallpaper.
So lets take it through as if you were powereing up the system..
teh domain GPO gets applied and then the OU policy. In this case the 1 policy from the Ou conflicts with the domain policy..Which is that? Wallpaper! and since OU is applied second it takes precedence over the domain policy of WALLPAPER only..so you get
an OU with policy allowing shutdown and white wallpaper.
However if you had applied block policy inheritance at the OU you would have ended up with only white wallpaper as teh domain policy would have been rejected.
And if you had applied NOOVERIDE at the domain level you would  have ended up with a policy allowing you to shutdown and a BLUE wallpaper(OU Policy gets overidden).
hope it helps
Logged
Tech Ranger
On A Mission
Hero Member
*****
Offline Offline

Posts: 5309

2


View Profile
« Reply #6 on: February 26, 2002, 11:58:33 PM »

Thanks Lenee.  Your response really clarifies things for me.
Logged

The Computer is a creation of man.  Man is a creation of God! -  
Joe from Brooklyn
Tech Ranger
On A Mission
Hero Member
*****
Offline Offline

Posts: 5309

2


View Profile
« Reply #7 on: February 27, 2002, 09:12:57 AM »

Good Morning Lenee,
Sorry to bother you, but I thought of a question provoked by your explanation.
If Block Policy Inheritance blocks ALL GPO's from coming down, what happens if an OU is set for Block Inheritance, but doesn't have any of its own policies set?  We have an OU sitting there blocking policy and not setting any of its own policies. Also, we are assuming no NO OVERRIDES are set to neutralize the block.  Where do the rules and regs governing this seemingly isolated OU come from?
Logged

The Computer is a creation of man.  Man is a creation of God! -  
Joe from Brooklyn
lenee
Member
Jr. Member
**
Offline Offline

Posts: 69

0


View Profile
« Reply #8 on: February 27, 2002, 01:25:55 PM »

Sorry man i missed out something while explaining to you in the previous post...It's from teh sentence where i mentioned about powering up the system..
Policy is applied the following way..
When the user logs on the users roaming or local user profile gets applied first, then the local group policy gets applied(hit gpedit.msc at the run)and finally the group policy settings get applied(site - domain - OU).
So accordingly i guess you will be able to guess from where ur policies came from.
hope it helps
Logged
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.13 | SMF © 2006-2011, Simple Machines LLC Valid XHTML 1.0! Valid CSS!