Creating Non-Inheriting Organizational Units for GPO Testing / Troubleshooting
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
There are no resources for this lesson.
In this lecture, we are going to be creating Non-Inheriting Organizational Units. I will be showing you how they work and why you would like to do that.
Open Active Directory Users and Computers. We are going to create an OU and then I am going to make it so it doesn’t inherit.
NOTE: A Non-Inheriting OU means that the Organizational Unit is not going to Inherit any Group Policy Objects that are not directly linked to the OU except for those Group Policy Objects that are enforced.
Expand instructorpaul.com > instructorpaul > RIght-Click and choose New > Organizational Unit.
Name the OU Test (Non-inheriting) and click OK.
Since we are logged into our Domain Controller and not using a Workstation, we are moving our Administrator user account into this test OU.
Click on the Yes button on the pop-up window.
We should be having the user Administrator in our new OU.
Now, click Server Manager > Tools > Group Policy Management.
Expand Forest: instructorpaul.com > Domains > instructorpaul.com > instructorpaul OU.
Since we are testing this on a user account we actually need to create a GPO that has some user settings.
Edit the Default Domain Policy right-clicking it and choose Edit.
Under User Configuration > Policies > Administrative Templates > Desktop > Desktop. Double click on the right Disable Active Desktop.
Choose the Enabled radio button and click Apply and OK button. Close Group Policy Management Editor.
NOTE: We are just picking a random setting.
Open a Command Prompt window by clicking on the Windows icon on the bottom left and type cmd. Click on the icon from the list and type gpupdate /force.
We can type gpresult /r and we should see that the Default Domain Policy is being applied.
Now, let’s create another GPO under the same Test OU. Right-click and choose to Create a GPO in this domain, and Link it here...
Let’s call this TEST GPO and click OK.
Right-click and choose Edit from the context menu.
From the Group Policy Management Editor window navigate to User Configuration > Preferences > Windows Settings > Folder. Right-click from the right empty pane window and right-click and choose New > Folder.
From the New Folder Properties window let’s configure the following:
Click Apply and OK buttons.
Now we have some settings configured in this Test GPO. Close the Group Policy Management Editor window.
Click the TEST GPO and select the Settings tab. We should see the User Configurations.
Now run another gpupdate /force.
And we also type gpresult /r.
Under USER SETTINGS we see the Applied Group Policy Objects and the two policies applied TEST GPO and Default Domain Policy.
If we make the Test OU (Non-inheriting) folder non-inheriting then it will not inherit the Default Domain Policy settings. If there are settings in GPOs that are being inherited that are causing issues we can verify that by blocking all inheritance and then just linking the GPO that we want to test to this OU.
So we will do that by right-clicking the Test OU (Non-inheriting) folder and selecting Block Inheritance.
And now we see that an exclamation mark is listed there.
Notice that also if we go back to Active Directory Users and Computers and refresh the view (if open) there’s no change. There’s no way for you to know if the OU is inheriting or not.
That’s why I was saying that we should name it with the non-inheriting tag. Or you can navigate to the properties by right-clicking it and selecting Properties and giving it a Description.
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.