GPO Exceptions: Enforcing and Blocking Inheritence

Enforced: The Enforced flag is set on a GPO link using the GPMC. Essentially what is does is say, “If there are any conflicting policy settings on downstream GPOs (GPOs processed after the enforced GPO), those settings will always be overridden”. Essentially how this works is that any GPO links that are marked as Enforced, will be moved to the bottom of the Group Policy processing list. This ensures that the enforced policy is always processed last, and thus “wins” over any downstream GPOs. Enforced GPOs will override Block Inheritance.  NOTE: In Windows 2000 this was referred to as “No Override”.

Block Inheritance: The block inheritance flag is set on a container object, specifically either an OU or a domain. The purpose of Block Inheritance is to block upstream GPOs from being processed (except for GPOs set with the Enforced flag). For example, if I have two OUs, Sales and Inside, and Inside is a child OU to Sales, I can set the Block Inheritance flag on the Inside OU and any GPOs linked to Sales will be blocked and won’t apply to users and computers in the Inside OU.

Leave a Reply

Your email address will not be published. Required fields are marked *