How to Block Group Policy Inheritance For a Domain/OU

Needing to block inheritance is important, and here's how you do it

by Alexandru Poloboc
Alexandru Poloboc
Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor,... read more
Reviewed by Vlad Turiceanu
Vlad Turiceanu
Vlad Turiceanu
Passionate about technology, Windows, and everything that has a power button, he spent most of his time developing new skills and learning more about the tech world. Coming... read more
Affiliate Disclosure
  • Many users have asked how they can block Group Policy inheritance for a domain.
  • Well, as you already know, we have prepared a helpful article to tackle this question.
  • Carefully follow the steps below and you will be done with this sooner than you think.

To fix various PC problems, we recommend Restoro PC Repair Tool:
This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues and remove viruses now in 3 easy steps:

  1. Download Restoro PC Repair Tool that comes with Patented Technologies (patent available here).
  2. Click Start Scan to find Windows issues that could be causing PC problems.
  3. Click Repair All to fix issues affecting your computer's security and performance
  • Restoro has been downloaded by 0 readers this month.

Administrators can apply hundreds of different settings to objects in AD by establishing Group Policy Objects (GPOs) and associating the GPO to domains, sites, and organizational units (OUs).

You might be wondering how to block inheritance for such groups, so we will show you. We can also show you how to block inheritance for Windows 10 if you are interested.

What is GPO inheritance and how does it work?

Well, as you might know, in Active Directory, GPOs are inherited automatically throughout the GPO application order.

So, if a Group Policy setting is enabled at the highest domain level but is not configured at the OU level, the highest domain level setting takes precedence and is applied.

That being said, equally, if a setting is not configured at the domain level and is disabled at the OU level, the OU setting is inherited. 

But there’s also the situation when Group Policy is not applying but this guide will help fix it.

If you were wondering about the order in which the Group Policy settings take effect, allow us to shed some light on that as well:

  • Local Group Policy settings are always applied first.
  • GPOs linked at the site level are applied next followed by the GPOs linked at the domain level and OU level. Since GPOs linked to the OU are processed last, they have the highest precedence.
  • For nested OUs, GPOs linked to the parent OUs are applied first followed by the GPOs linked to the child OU.
  • If multiple GPOs are linked to a container, then the GPO with the lowest link order will have the highest precedence.
  • To view the list of GPOs applied to a container, double-click the container and select the Group Policy Inheritance tab in the right pane.

You may also be interested in how to install Group Policy Management Console on Windows 11.

How do I block Group Policy inheritance for a Domain/OU?

1. Press the Windows key to open the search box. Alternatively, you can press the Start button on the taskbar.

2. Search for group policy, and select the first result to open the Edit Group Policy app.

search for and launch gpedit

3. Go to Group Policy Management > Forest:firewall.local > Domains > firewall.local > Default Domain Policy.

4. Under Domain Controllers, locate the domain you wish to stop inheriting settings.

5. Right-click on it and select Block Policy inheritance.

block inheritance gpedit

You can easily block the Group Policy inheritance for a specific Domain/OU via the Group Policy Editor. All you need to do is locate your domain in the list and apply the Block Inheritance setting to it.

If you have any trouble, you may also use our guide on how to fix Group Policy in Windows.

Can I disable a GPO entirely?

You should know that, by default, both the Computer Configuration and User Configuration policy settings of a GPO are enabled and applied to all users and computers present in the container in which the GPO is linked.

That being said, situations may arise in which the GPO has to be disabled for a particular period. So, the answer is yes, you absolutely can.

In case you’re wondering How do I disable a GPO?, take a closer look at our detailed procedure.

  1. Search for group policy, and open the Edit Group Policy app.edit policy
  2. After selecting the GPO you want disabled, select the Details tab on the right-hand side.all settings disabled group policy
  3. Under GPO status, select All settings disabled.
  4. Reboot your PC.

You can also modify such settings using PowerShell, if that is the software you are more comfortable with, just so you know.

If you’re interested, you may even add a VPN by using the Group Policy in Windows so take a look at this guide.

This is all you need to know about this subject. We hope this article helped you solve whatever problems you are having. Leave a comment below and tell us how you feel about it.

Still having issues? Fix them with this tool:


If the advices above haven't solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on to easily address them. After installation, simply click the Start Scan button and then press on Repair All.

This article covers:Topics: