Tales from the Community: Enforced vs. Block Inheritance

From the Group Policy TechNet Forum, featuring Florian, ever-helpful Group Policy MVP:

What is the difference between “no-override” and “block policy inheritance” in group policy option?


Hey M.!

It looks like you’re trying to tweak how Group Policy gets applied. Questions about “No override” and “Block policy inheritance” are not among the frequently asked questions out there in the Newsgroups or the Forums but definitely one of the more confusing ones - let’s be honest, there are easier things to learn than GP application. It’s not quantum physics…but sort of rocket science, right? For that reason, I hope you don’t mind me turning this into a blog posting.

Before grasping concepts, you will need to have a good understanding of “Basic” Group Policy Precenence which I discuss in this blog post. Basically: GPO’s are applied in the order LSDOU (Local Site Domain OU), and the last writer wins.

Okay, that sounds pretty logical, right? LSDOU, Last Writer Wins, no problem. Now here comes the juicy part. I know you’ve waited for this. GP admins love action. That’s why we’re GP admins. We love to see action. We love to see something actually *happen* on target objects: In order to give administrators the ultimate power, there are ways to …emm... yeah, ‘adjust’ GP processing. To break…I mean… circumvent the domain parts of L-S-D-OU, there are two options, ‘Enforced’ which previously was named ‘No Override’ and ‘Block Inheritance’.

Let’s tackle “Block Inheritance” first. We’ve seen that, from a directory tree perspective, down the tree to the target objects, all GPOs are applied and settings configured there are cumulated – where settings contradict, the last writers win. There may be situations you don’t want that. That’s what “Block Inheritance” is for. For example, we don’t want the IT-OU apply domain-level GPOs. We go right-click the “IT”-OU in GPMC and choose “Block Inheritance” from the context menu. Voilá! You see a blue exclamation mark on the OU icon. From now on, IT objects won’t be bugged with domain-level GPOs. GPOs from levels higher than IT-OU will simply be ignored. Even GPOs from the same level, such as OULevel2-GPO, will. We’ve cut up-level administrators off.


Well, it isn’t that easy. If you’re an up-level administrator, you can just beat that. That’s the second setting we’re going to look at – ‘Enforced’. Enforced is your way of making sure down-level admins don’t cut you off. Right-clicking your favorite GP-link and choosing ‘Enforced’ from the context menu protects the GPO and its settings from being overridden by a later GPO. It even overrides the “Block Inheritance” setting. ‘Enforced’ GPOs are marked with a little lock on the GP-link icon. clip_image002

Didn’t sound too complicated? Well, implementing the whole thing might be an easy thing to do – but debugging GP application issues with lots of Enforced GP-links and blocked inheritances is less fun, I can tell you from experience so my recommendation would be to use these advanced concepts sparingly and with caution.


Florian (Group Policy MVP)