Question on GPO Block Inheritance

  • 70 Views
  • Last Post 01 February 2017
webster posted this 30 January 2017

Attempting to troubleshoot a very weird GPO issue where a GPO nowhere in the inheritance chain is being applied to computer accounts.

  I finally got permission to block inheritance at the OU level I was given for testing. When I run gpresult, I expected to see a list of Local Policy and the four Enforced security policies. That is not what I see. I see all the GPOs applied at the top OU in this tree PLUS the mysterious GPO that is applied at the domain level but Inheritance is blocked at the top of this OU tree.   What am I supposed to see in the "Applied Policies" list when inheritance is block at the lowest OU level in this tree?   Thanks     Webster  

Order By: Standard | Newest | Votes
SamErde posted this 30 January 2017

Is the mysterious GPO set to enforced? I think that would override a block inheritance setting.
Sam 
On Jan 30, 2017 5:48 PM, "Webster" <webster@xxxxxxxxxxxxxxxx> wrote:

Attempting to troubleshoot a very weird GPO issue where a GPO nowhere in the inheritance chain is being applied to computer accounts.   I finally got permission to block inheritance at the OU level I was given for testing. When I run gpresult, I expected to see a list of Local Policy and the four Enforced security policies. That is not what I see. I see all the GPOs applied at the top OU in this tree PLUS the mysterious GPO that is applied at the domain level but Inheritance is blocked at the top of this OU tree.   What am I supposed to see in the "Applied Policies" list when inheritance is block at the lowest OU level in this tree?   Thanks     Webster  

webster posted this 30 January 2017

No, it is not. Only 2 security related GPOs are enforced. Those 4 I see, plus the Local Policy and then also every GPO linked at the top OU level.

 

Thanks

 

 

Webster

 

show

andrewcace posted this 30 January 2017

Is it possible that the GPOs are also linked to a site?

 

Can you include a censored version of gpresult /R?

 

-Andrew

 

show

jeremyts posted this 30 January 2017

Yes, agree with Andrew. Linking a policy at Site level can often confuse things.

 

Are these computer policies or user policies? If user policies, and the

user objects are under a different OU structure that is not blocked from the top level GPOs, then Loopback processing in merge mode could be throwing you here.

 

Cheers,

Jeremy

 

show

webster posted this 30 January 2017

This is from a customer's PCI environment. I doubt I could get permission to do that. Sorry.

 

 

Webster

 

show

webster posted this 30 January 2017

Just verified there are no Site policies.

 



Webster

show

jeremyts posted this 31 January 2017

Sure, but what about Loopback Processing?

 

show

webster posted this 31 January 2017

On dedicated GPO set at the top of the OU tree for Loopback Replace.

 



Webster

show

jeremyts posted this 31 January 2017

By top of the OU tree I assume you mean at Domain level? Or under where you’ve set block inheritance?

 

Cheers,

Jeremy

 

show

webster posted this 31 January 2017

At the top level OU where inheritance is blocked. Not allowed to do anything at the domain level.

 



Webster



 

show

webster posted this 01 February 2017

I was working with another list member offline and after 5 days, the block inheritance started working! They have some serious replication issues to resolve.

 

They created me a new Win7 VM, pre-staged the computer account in my testing OU and joined the VM to the domain. When I ran gpresult, I got the results I expected. Only the

local policy and the four enforced policies were in the list of applied computer policies. I then had them power on the original test VM that all the extraneous policies applied. It came up now with the expected policies applied.

 

Thanks for all the suggestions along this weird journey.

 

Webster

 

show

Close