September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
9.13. Blocking Inheritance of GPOs on an OU
Problem
You want to block inheritance of GPOs on an OU.
Solution
Using a graphical user interface
Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, and browse to the target domain.
Right-click on the OU you want to block inheritance for and select Block Inheritance.
Using VBScript
' This code blocks inheritance of GPOs on the specified OU ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>" ' e.g. rallencorp.com strOU = "<OrgUnitDN>" ' e.g. ou=Sales,dc=rallencorp,dc=com boolBlock = TRUE ' e.g. set to FALSE to not block inheritance ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified OU set objSOM = objGPMDomain.GetSOM(strOU) if IsNull(objSOM) then WScript.Echo "Did not find OU: " & strOU WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found OU: " & objSOM.Name end if ' on error resume next objSOM.GPOInheritanceBlocked = boolBlock if Err.Number <> 0 then WScript.Echo "There was an error blocking inheritance." WScript.Echo "Error: " & Err.Description else WScript.Echo "Successfully set inheritance blocking on OU to " & boolBlock end if
Discussion
By default, GPOs are inherited down through the directory tree. If you link a GPO to a top-level OU, that GPO will apply to any objects ...