Saarah Rasheed
$15/hr
Writer | Quant | Data Specialist
- Reply rate:
- 50.0%
- Availability:
- Hourly ($/hour)
- Age:
- 30 years old
- Location:
- Karachi, Sindh, Pakistan
- Experience:
- 2 years
4.1 Configuring Blocking of Inheritance
Hello there! I am [brief intro] and today we will discuss inheritance in group policy and how to block it. So inheritance refers to the property of an OU because of which when a policy is applied to it, it gets rolled down or “inherited” to the sub OUs of that parent OU. Sometimes, that’s a problem; we don’t want the policies we implemented in the higher levels to get copied down to the lower ones hence there is a technique we use which is known as blocking inheritance. Blocking inheritance ensures that the policy we applied to the OU doesn’t get rolled down to those sub OUs whom we don’t want that policy implemented in. Today, we will learn how to configure that for Windows Server 2012, R2. So first off, let’s log in. Now open the Server Manager and access the Group Policy Management Console from the Tools tab you can locate on the top right corner of the window. Click on it to open GPMC. Okay so as we can see here in the left pane, as per the hierarchy here, if we assign any policy to the domain it automatically flows down to all the OUs, since it being the top most one. Now currently we have three policies already configured here; audit, default domain and security policy. So let’s check whether they are inherited in the sub OUs so we can see the affect when we block inheritance. Let’s check for Tetra OU, click on it, now in the main window, switch to Group Policy Inheritance. Now as you can see here all three of the policies assigned to the domain are inherited over here. The domain being tetranoodle.com and well it will be different for you depending on what is the name of your PC. So let’s check another OU, tetra2. So we have four policies here, three are inherited and one is its own, which is internal.
So let’s consider a situation where we have to implement a policy in the domain which we only want inherited in tetra and not tetra2. Or conversely, we implement a policy and we want it to get inherited in only two or three OUs out of five. So we will block the inheritance using an option, if you click on any OU, which gets you to Block Inheritance. So for the sake of demo, let’s go for a policy for VPN Connection and link it to the domain, and then block for particular users so it is only accessible by selected users. Since we already have a GPO made, VPN_Connection so we will link it to the domain and then block inheritance for the desired OUs and see how that works out for us. Well before we do this, let’s see from client’s machine whether we have this connection or not currently configured in the OUs. We will one by one sign in from one user from Tetra OU and one from Tetra2 OU. Let’s first check which users we have in both these OUs, go to server manager and in the tools menu and open Active Directory Users and Computers (ADUC). Now in Tetra we have Tetra1, Tetra2 whereas in Tetra we have test, tetra3 and tetra4. So we will pick tetra1 for tetra and tetra3 for tetra2 OU. Now let’s sign in from client’s machine. Let’s try first via tetra1. Enter credentials and hit enter. Now okay click on network icon and open network and sharing center. In the left pane, click on change network adopter settings. So we can see here we don’t have any VPN connection. And now let’s logoff and now login via tetra3 which is from the other OU, tetra2. Enter the credentials and here we go. Now okay click on network icon and open network and sharing center. In the left pane, click on change network adopter settings again. So here again we don’t have any VPN connection configured.
So let’s go back to the server side. Now in the GPMC, in the left pane, let’s assign the GPO Tetra_VPN to the domain. Right click on the domain, tetranoodle.com, and select link an existing GPO and from the list, select Tetra_VPN and click on okay. So we have successfully linked the VPN GPO to the domain. Now let’s manually update the GPO from command prompt; open Run window and enter cmd and then hit enter. Now enter gpoupdate/force and hit enter. Okay here we are done. Now move to client’s machine. Do the same procedure to update the GPO manually. So as you can see it doesn’t currently have the VPN, let’s open cmd and the enter gpoupdate/force and hit enter and here the VPN connection has appeared because the policy has taken effect. This is for Tetra3 user, which is in tetra2 OU. Now let’s check for Tetra1 which is in Tetra OU. Logging off and switching users. Now login with credentials of Tetra1 and hit enter. Okay now click on network icon and open the network and sharing center and click on change adopter settings and as you can see we have the VPN connection here as well. So we have created a VPN connection for all the users since we assigned the policy to the domain and it got inherited to all the sub OUs of it inherited. Now let’s think of a situation where we want to implement this policy only to the users of one OU and not the other. Here we will have to use the property of blocking inheritance. Let’s suppose we want the VPN connection to be accessible to users of Tetra2 and no users of Tetra OU can access or are required to have this VPN connection.
For this purpose, we select the OU for which we want to block the policies from being inherited in, which is tetra, and right click and select block inheritance. Now as soon as you do so, the inheritance gets blocked and as you can see there are no more policies inherited in this OU. Now let’s manually configure it. In the command prompt, enter gpoupdate/force and hit enter. Okay now in the client machine let’s first delete the connection. Now let’s update via command prompt. So enter gpoupdate/force and hit enter. Okay now switch user to the other OU, which is Tetra3 now. Let’s login and enter the credentials. So open the network and sharing center, click on change adopter settings and now delete the VPN connection. Okay now let’s enter the manual update via command prompt and then reboot system and login from users to see the effect of blocking inheritance. So in the command prompt, enter gpoupdate/force and hit enter. Now let us restart the system.
Now let’s login from first user, which is Tetra1 for which we blocked the inheritance. Now enter credentials and sign in. And open network and sharing center. Now change adopter settings. And as you can see here there is no VPN connection created over here since we blocked it out via block inheritance option. Now let’s logoff and switch to Tetra3 for which the policy was to be inherited in. So enter the credentials and let’s see. Open network and sharing center from the network icon. And then change adopter settings. And as you can see yes, we have the VPN connection over here since by default the policies linked to the domain get inherited to all the OUs whereas for Tetra OU, we specifically blocked the inheritance and hence the VPN connection was not created for it.
So this is how we use block inheritance to avoid policies being flowed down to OUs we don’t want them in. This can be particularly useful for when say, keeping in mind our current example, creating a VPN connection with higher bandwidth that’s only accessible to higher authorities or limited conference rooms. So that’s about it then. Thank you for watching! Stay tuned for more!
