Blocking GPO inheritance

As your Active Directory and Group Policy environments grow and expand, you will inevitably have multiple GPOs applying across the various tiers in order to make sure your workstations, servers, and users have all of the settings they need in order to stay safe and secure. Occasionally, you will have a need for a particular device or group of devices to step back from all of these rules and regulations, and be untouched by Group Policy settings. During my day job, I live on the Windows Server side of the IT house, and it is a very common occurrence that we are spinning up a new server for a particular role, and we want to make sure that this new server is not going to be immediately affected by a dozen GPOs as soon as we join it to the domain. Usually, when joining new client workstations to the domain, that is exactly what you want to happen—you rely on Group Policy to put all of the appropriate settings and configurations into place on those machines, but oftentimes new servers are being introduced for new technologies coming into your network, and there will be testing phases that accompany those rollouts. During the testing phases, to ensure everything is working on those new servers before they are "muddied up" with policy settings, it would be helpful to have a quick and easy way of excluding those servers from being manipulated by GPOs.

Thankfully, there is exactly such a functionality. I often refer to it as inherency blocking, though technically the term is blocking inheritance. As the name implies, this function inside GPMC allows you to block the inheritance of GPO settings for a particular location. Namely, you can right-click on any OU and choose the Block Inheritance option. You can see this option in the following screenshot, as well as the fact that I have already blocked inheritance for my OU called IT Department. This fact is recognized by that little blue icon next to the OU name:

Once you have blocked inheritance for an OU, any device or user that you place into that OU will be unaffected by Group Policy settings that would be inherited down the chain to that OU. For example, any GPOs that are linked at the Site level or the Domain level would not apply to anything that was inside the IT Department OU, or any nested OUs listed under IT Department.

Links directly to the OU will still apply! Keep in mind that even if an OU is flagged for Block Inheritance, any GPO that you have linked directly to the OU will still be in effect.

Let's cover a quick example to pull it all together. I often work with a Microsoft remote access technology called DirectAccess (DA). A successful DA deployment is heavily dependent on solid networking practices on the DA server. In many networks, it is common to find GPOs that do things such as disabling the Windows Firewall or configuring the IPv4/IPv6 stack in a way that certain functions within networking are squashed by default. While this is considered a good security practice for some of the machines inside a domain, it can be detrimental to a DA server. If you were to bring a new DA server online, plug it into your network, join it to your domain, and automatically get such policies, your DA server would be broken before you ever start configuring DA.

Because of this, I now consider it standard practice to put DA servers into an OU that is blocked from GPO inheritance. This ensures that any policies that might be automatically filtering down to that OU will not be processed, and will not break my new server. Then the flip side of that coin is that many of the settings DA uses are actually rolled out to the DA server via a new GPO that we create. Once we get to the end of the DA configuration process, a new GPO is created and filled with settings, and those settings need to make their way down to the DA server or servers. Since those servers are sitting inside an OU with Block Inheritance enabled, by default they will not receive the settings that they need. In this case, we right-click on the OU and manually link the new GPO directly to that OU. This link then works and pushes only those settings to the DA servers, while continuing to block inheritance from other GPOs that may be filtering down from higher levels in the processing tier.

It is important to remember that Block Inheritance is not a full-on kill switch for GPOs. Any policies linked directly to the OU will still be processed on the machines inside that OU.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.110.5