Home / server / Questions / 219032
Accepted
I.T. Support
Asked: 2011-01-06 08:07:40 +0800 CST

Default Domain Policy Overriding Custom GPO even though Custom GPO is Enforced

  • 772

I'm trying to apply a custom GPO to an OU with a specific account in it. Even though I enforce the GPO, the default domain policy is still overriding my custom GPO and settings are not being applied to the account.

Questions:

  1. Is the Default Domain Policy not subject to Enforcement?
  2. How do I get a custom GPO to override the default domain policy?
windows-server-2008 windows-server-2003 group-policy security

2 Answers

  1. The priority is based off of what position the GPO is in the list.

    What you can try doing is selecting the custom group policy object that you created and move it ABOVE the default domain policy. This will make sure that your custom policy takes precedence and wont be overridden by the default domain policy.

    • 1
  2. Best Answer

    The trick was to "Block Inheritance" on the immediate parent OU for the child OU in question.

    • Right-click the parent ou of the ou you want to apply your custom GPO to, then click "block inheritance"
    • Apply your custom GPO to the child OU beneath the parent OU you just blocked inheritance on
    • From (domain controller) CMD prompt, type: gpupdate/force
    • Run GPO Modeling to confirm custom GPO settings are being applied

    This worked for us. The only caveat is to remember that when you block inheritance on an OU, you prevent all GPO's above that OU from propogating their settings via inheritance, which means if you are relying on a GPO higher up in the schema for settings, you need to confirm they are still being applied to child OU's beneath the OU you've blocked inheritance on, as you may need to replicate these settings on the custom GPO you applied to the child OU.

    • 0