AD GPO linking inheritance not working

Question

Hi!

We need to block group policy editing (done) and also group policy linking. I am unable to understand the AD DS and inheritance why it is not working in my case please do give advice.

I am selecting any OU in group policy management and selecting the delegation tab in the right side. The default permission is link gpo selected. I add new security group. Add. Advanced settings i change the permission type to deny instead of allow. The permission is applied to this container and ALL of the child containers. If i check they do appling yet if I try to link a gpo with a restricted account i can see only the specific OU is blocked, the other child OU-s are still linkable. Why?

How can I prevent gpo linking to all the available and new OU-s?

Answer 1

Hello petersonal,

Thank you for posting in our Q&A forum.

You can try set in the domain level.
1.Right click domain name.
2.Select the delegation tab in the right side. The default permission is link gpo selected.
3.Add one normal domain user account.
4.You will see the two entries after clicking Advanced button (for example, I add the domain user t2 below).
One entry is for gplink permission (read gplink and write gplink).
One entry is for gpoptions permission (read gpoptions and write gpoptions).

You should set deny permission for the two entries.
Then make AD replication complete if you have more than one DC in your domain.
After that, you can log on DC with this normal domain user account and check if you can link gpo to domain and the OUs within Domain.

Reference (delegate permission to link gpo):
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn789195(v=ws.11)

Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.