How to Block GPO Inheritance [Quick Guide]

Needing to block inheritance is important, and here's how you do it

Windows 11 ยป How To

Reading time icon 3 min. read

Calendar icon Updated on

by Alexandru Poloboc 

updated on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

  • Many users have asked how they can block Group Policy inheritance for a domain.
  • Well, as you already know, we have prepared a helpful article to tackle this question.
  • Carefully follow the steps below and you will be done with this sooner than you think.
policy

Administrators can apply hundreds of different settings to objects in AD by establishing Group Policy Objects (GPOs) and associating the GPO to domains, sites, and organizational units (OUs).

You might be wondering how to block inheritance for such groups, so we will show you. We can also show you how to block inheritance for Windows 10 if interested.

What is GPO inheritance, and how does it work?

Well, as you might know, in Active Directory, GPOs are inherited automatically throughout the GPO application order.

So, if a Group Policy setting is enabled at the highest domain level but is not configured at the OU level, the highest domain level setting takes precedence and is applied.

That being said, equally, if a setting is not configured at the domain level and is disabled at the OU level, the OU setting is inherited. 

But there’s also the situation when Group Policy is not applying, but this guide will help fix it.

If you were wondering about the order in which the Group Policy settings take effect, allow us to shed some light on that as well:

  • Local Group Policy settings are always applied first.
  • GPOs linked at the site level are applied next, followed by the GPOs linked at the domain level and OU level. Since GPOs linked to the OU are processed last, they have the highest precedence.
  • For nested OUs, GPOs linked to the parent OUs are applied first, followed by the GPOs linked to the child OU.
  • If multiple GPOs are linked to a container, then the GPO with the lowest link order will have the highest precedence.
  • To view the list of GPOs applied to a container, double-click the container and select theย Group Policy Inheritanceย tab in the right pane.

You may also be interested in how to install Group Policy Management Console on Windows 11.

How do I block Group Policy inheritance for a Domain/OU?

1. Press the Windows key to open the search box. Alternatively, you can press the Start button on the taskbar.

2. Search forย group policy, and select the first result to open theย Edit Group Policyย app.

search for and launch gpedit

3. Go to Group Policy Management and locate the group policy, then accessย Domains and select your domain, and finally go to Default Domain Policy.

4. Under Domain Controllers, locate the domain you wish to stop inheriting settings.

5. Right-click on it and selectย Block Policy inheritance.

block inheritance gpedit

You can easily block the Group Policy inheritance for a specific Domain/OU via the Group Policy Editor. All you need to do is locate your domain in the list and apply the Block Inheritance setting to it.

If you have any trouble, you may also use our guide on how to fix Group Policy in Windows.

Can I disable a GPO entirely?

You should know that, by default, both the Computer Configuration and User Configuration policy settings of a GPO are enabled and applied to all users and computers in the container in which the GPO is linked.

That being said, situations may arise where the GPO has to be disabled for a particular period. So, the answer is yes, you absolutely can.

In case you’re wondering How do I disable a GPO?, take a closer look at our detailed procedure.

  1. Search for group policy, and open the Edit Group Policy app.edit policy
  2. After selecting the GPO you want disabled, select the Details tab on the right-hand side.all settings disabled group policy
  3. Under GPO status, select All settings disabled.
  4. Reboot your PC.

You can also modify such settings using PowerShell, if that is the software you are more comfortable with, just so you know.

If you’re interested, you may even add a VPN by using the Group Policy in Windows, so take a look at this guide.

This is all you need to know about this subject. We hope this article helped you solve whatever problems you are having. Leave a comment below and tell us how you feel about it.

Alexandru Poloboc

Alexandru Poloboc Shield

Tech Journalist

With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, as well as TV and radio entertainment show host. A certified gadget freak, he always feels the need to surround himself with next-generation electronics. When he is not working, he splits his free time between making music, gaming, playing football, basketball and taking his dogs on adventures.