9.13. Blocking Inheritance of GPOs on an OU
Problem
You want to block inheritance of GPOs on an OU.
Solution
Using a graphical user interface
Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, and browse to the target domain.
Right-click on the OU you want to block inheritance for and select Block Inheritance.
Using VBScript
' This code blocks inheritance of GPOs on the specified OU ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName
>" ' e.g. rallencorp.com strOU = "<OrgUnitDN
>" ' e.g. ou=Sales,dc=rallencorp,dc=com boolBlock = TRUE ' e.g. set to FALSE to not block inheritance ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified OU set objSOM = objGPMDomain.GetSOM(strOU) if IsNull(objSOM) then WScript.Echo "Did not find OU: " & strOU WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found OU: " & objSOM.Name end if ' on error resume next objSOM.GPOInheritanceBlocked = boolBlock if Err.Number <> 0 then WScript.Echo "There was an error blocking inheritance." WScript.Echo "Error: " & Err.Description else WScript.Echo "Successfully set inheritance blocking on OU to " & boolBlock end if
Discussion
By default, GPOs are inherited down through the directory tree. If you link a GPO to a top-level OU, that GPO will apply to any objects ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.