9.13. Blocking Inheritance of GPOs on an OU

Problem

You want to block inheritance of GPOs on an OU.

Solution

Using a graphical user interface

  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, and browse to the target domain.

  3. Right-click on the OU you want to block inheritance for and select Block Inheritance.

Using VBScript

' This code blocks inheritance of GPOs on the specified OU
' ------ SCRIPT CONFIGURATION ------
strDomain   = "<DomainDNSName>" ' e.g. rallencorp.com
strOU      = "<OrgUnitDN>"      ' e.g. ou=Sales,dc=rallencorp,dc=com
boolBlock  = TRUE               ' e.g. set to FALSE to not block inheritance
' ------ END CONFIGURATION ---------

set objGPM = CreateObject("GPMgmt.GPM")
set objGPMConstants = objGPM.GetConstants( )
  
' Initialize the Domain object
set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Find the specified OU
set objSOM = objGPMDomain.GetSOM(strOU)
if IsNull(objSOM) then
   WScript.Echo "Did not find OU: " & strOU
   WScript.Echo "Exiting."
   WScript.Quit
else
   WScript.Echo "Found OU: " & objSOM.Name
end if

' on error resume next

objSOM.GPOInheritanceBlocked = boolBlock

if Err.Number <> 0 then
   WScript.Echo "There was an error blocking inheritance."
   WScript.Echo "Error: " & Err.Description
else        
   WScript.Echo "Successfully set inheritance blocking on OU to " & boolBlock
end if

Discussion

By default, GPOs are inherited down through the directory tree. If you link a GPO to a top-level OU, that GPO will apply to any objects ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial