Scenario: OU has three GPOs applied to it. There are three sub-OU's beneath this OU, all of which inherit the aforementioned GPOs.
Sub-OU #2 needs to be prevented from inheriting ONE of the three GPOs from the main OU. How can this be done without blocking inheritance on Sub-OU two, which would result in all three GPOs being blocked?
This reads like a question straight from my MCITP tests.
A picture might help, but if I understand correctly, you can either do this via security filtering, create a group and put security principals in this group to which you do not want this GPO to apply, and then configure the security filtering on that one GPO appropriately,
or, the dirtier way to do it would be to link another GPO to the sub-OU that overrides the settings in the higher OU. But again, that's a pretty poor solution.
You could also block inheritence on the sub-ou, and then link the other two GPOs again directly to the sub-ou.
I like my third solution the best. :)