GPO Inheritance Blocked But Still Applying

Daisy Zhou 17,891 Reputation points Microsoft Vendor
2020-07-15T05:43:17.717+00:00

Hi there, I run a small office and due to the covid-19 I've setup users to use RDP to work from home. There has been a couple of times where they accidentally shut down the computer requiring me to go to the office to turn them on. I added the GPO to the Default Domain Policy to disable the shutdown/sleep from the start menu. While this has been working fine, ideally I could apply this to only RDP sessions, but I couldn't find any GPO for that. That said, I don't want this being applied to my DC and it is so on the Default Domain Controller Policy, I enabled that GPO thinking it's precedence over the Domain Policy will overwrite it. This didn't work, and the Domain Policy is not enforced. I blocked inheritance on the DC OU yet the Domain Policy is still applying. I don't understand why/how the Domain Policy is applying when it's not inherited or enforced.
I guess I could just create a new policy and put it into the workstation OU and remove the GPO from the Domain policy, I'm just trying to understand why what I did isn't working as I would expect.
PS if anyone has advise on how I can apply the gpo only to rdp sessions, I'd be grateful.

Source link:
https://social.technet.microsoft.com/Forums/en-US/f193a12e-1ad4-4377-b46d-028035c1235b/gpo-inheritance-blocked-but-still-applying?forum=winserverGP

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,601 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,281 Reputation points Microsoft Vendor
    2020-07-15T06:01:49.59+00:00

    Thanks for sharing here!

    As DonPick said , it is not recommend configuring the policies on the DDP , if you want to apply the policy to all the workstations ,you can configure it by creating a new GPO. And if you don't want to apply the policy to the DCs, you can use the security filter ,don't give the DCs apply permission.

    To prevent members of a group from applying a GPO, you can refer to the following link:

    https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Joshua Wyman 6 Reputation points
    2022-10-03T13:09:57.007+00:00

    You can also look at adding a custom security setting on the policy to deny the "Apply Group Policy" right to the Domain Controllers group (or individual DCs) on the policy that has that setting. That way even if the GPO were to be read, it wouldn't be applied.

    0 comments No comments