Should I link GPOs to the domain level if I have OU’s that block inheritance?


Although an OU using Block Inheritance can prevent higher level GPOs from applying settings to the user or computer accounts it contains, if cannot stop an Enforced GPO. If you don’t want to stop the flow of a domain level GPO, the GPO should be enforced. Jeremy discusses Block Inheritance and Enforcement in Chapter 2 of his book. (Third edition, with the gear cover.)