GPO blocking of inheritance

The default processing order of GPOs (see GPO processing order and precedence) can be modified, one of the ways is the blocking of inheritance.

If blocking of inheritance is set on an Organizational Unit then settings in higher up Organizational Units and Domain GPOs do not take effect on that Organizational Unit, unless their links are enforced (see GPO enforce policies).

To block inheritance, expand the Organizational structure and right click on the Organizational Unit, click on Block Inheritance.

Looking at the Group Policy Inheritance tab of the Organizational Unit, the GPOs in the above Organization Units and Domain are not applied.

To block using Powershell, the command is:
Set-GPinheritance -Target “ou=Computers,ou=HQ,dc=company,dc=local” -IsBlocked Yes

This blocks inheritance for the Organizational Unit named Computers in the company.local domain. GPOs that are linked to higher-level sites or domains, or to Organizational Units that are parent Organizational Units of the OU named Computer are not applied, unless their links are enforced

Leave a Reply