Setting ‘Block Inheritance’ on the domain level? WTF!?

Hey ho – long time no hear. I won’t make any promises any more and just go on with the blog posting :-)

I got an email from a fellow AD/GPO/Exchange big brain (where “fellow” relates to AD/GPO, I am no Exchange big brain). He was sending a screenshot of GPMC with essentially the following information on it:

His question was: What is the effect of setting “Block Inheritance” on the domain level? Why is the option there and what does it do? Isn’t this senseless?

Well – no, it isn’t. The option is there for a reason. Think about the application importance of GPOs among the different levels. There is: L-S-D-OU-subOU-subsubOU-…, where L stands for Local GPOs with the least importance. S stands for Site-based GPOs. D stands for domain, and then, with the highest importance, there’s the OU structure. Local is least important (easy to be overwritten), GPOs linked to subsubOU are more important. So far, so good. Last writer wins and these things.

Suppose we’re interested in GPO application for our computer account in the Computer-OU which is nested in the Zurich-OU. Evaluation of Group Policy starts at the location of the computer account, in its OU structure\Switzerland\Zurich\Computers. Then, we’re crawling the OU structure up until we reach the domain level… and after the domain level, we’re looking at site-based GPOs. Essentially, we’re walking up the domain tree to evaluate all applicable GPOs for our object.

Now, when “Block Inheritance” is set somewhere along our way, say, at the “Switzerland” OU level, our GPO evaluation would look at “Computers”, next the “Zurich” OU and next the “Switzerland” OU. And then… we find out that it has “Block Inheritance” set – and we stop. According to “Block Inheritance” we don’t care what’s linked higher up on levels.

The same applies to “Block Inheritance” set at the domain level. We block GPOs from “higher” levels. The next higher level to block from the domain level is … yeah, the Site-level.

No Comment