j.>r.'___________"t^^'w^rtfrtltniiil^m**».' mxi»— i
Figure 6.6: Corporate Standards GPO enforced at the domain level f m r
Figure 6.7: Corporate Standards affecting the Accounting OU Use Blocking and Filtering Sparingly
The Block Inheritance option stops the natural inheritance of settings from GPOs higher in the hierarchy. When you use this option, you will block every GPO setting from any parent object with the exception of the domain account policies. Once blocked, the only way that a GPO's settings will override the Block Inheritance option is if you apply the Enforced option. The Enforced option takes precedence over any Block Inheritance option that it encounters, but it is only applied to an individual GPO. You will need to set the Enforced option for every GPO that needs to override the blockage.
Filtering is the process of specifying to which accounts the GPOs will apply. By default, the Authenticated Users group will have the GPO applied to it at the location where the GPO is linked. This may work in some instances, but for most applications, you will not want every account within the OU to be under the GPO's control. For instance, if the user account that has administrative rights to the OU is located within the OU and the GPO restricts the use of administrative tools, the administrative user will not have access to the tools they need to perform their job. Decide upon which accounts will need to have the GPOs applied to them and create a group based on that need. Do not add the administrative users to the group for the user accounts; instead, create another group for the administrators to be members of. Configure the Security Filtering option to include the group to which the GPO will be applied.
Was this article helpful?