question

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT asked FanFan-MSFT answered

GPO Inheritance Blocked But Still Applying

Hi there, I run a small office and due to the covid-19 I've setup users to use RDP to work from home. There has been a couple of times where they accidentally shut down the computer requiring me to go to the office to turn them on. I added the GPO to the Default Domain Policy to disable the shutdown/sleep from the start menu. While this has been working fine, ideally I could apply this to only RDP sessions, but I couldn't find any GPO for that. That said, I don't want this being applied to my DC and it is so on the Default Domain Controller Policy, I enabled that GPO thinking it's precedence over the Domain Policy will overwrite it. This didn't work, and the Domain Policy is not enforced. I blocked inheritance on the DC OU yet the Domain Policy is still applying. I don't understand why/how the Domain Policy is applying when it's not inherited or enforced.
I guess I could just create a new policy and put it into the workstation OU and remove the GPO from the Domain policy, I'm just trying to understand why what I did isn't working as I would expect.
PS if anyone has advise on how I can apply the gpo only to rdp sessions, I'd be grateful.

Source link:
https://social.technet.microsoft.com/Forums/en-US/f193a12e-1ad4-4377-b46d-028035c1235b/gpo-inheritance-blocked-but-still-applying?forum=winserverGP

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Thanks for sharing here!

As DonPick said , it is not recommend configuring the policies on the DDP , if you want to apply the policy to all the workstations ,you can configure it by creating a new GPO. And if you don't want to apply the policy to the DCs, you can use the security filter ,don't give the DCs apply permission.

To prevent members of a group from applying a GPO, you can refer to the following link:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.