Blocking Inheritance

[rtorres]

I am just starting to work with GPOs, I am trying to block inheritance to an OU. Is it possible to block domain policy? I have enable strong password, minimum password length, and so forth. I understand that this effects the whole domain. Now I wish to not have this policy affect a OU in the domain. I have turn on Block inheritance on this OU but I am still getting the domain policy that i have created. Why?

Thx.

[AdamV]

because the policy applies to the domain, and therefore to all domain accounts, which are in effect dictated by the policies on domain controllers. so unless it is the DCs which you have exlcuded (which would affect everyone) it won't work.

The only way round this would be to apply the policy to all the OUs except the one with the computers which you want to exempt (NB: the policies apply to computer objects and affect the accounts on those computers). This is not ideal and there are various ways for users to get around your complexity rules by logging on at a less-protected workstation.

If you really have to do this, a child domain is the only real choice.