The administrators might want to configure the domain controller and the Organizational Units this way in case they want to apply a completely different set of settings on the child OU so that it can be treated as an individual entity.
In order to block the inheritance on a child OU, it is important that you log on to the domain controller with the Enterprise Admin or Domain Admin account credentials. If you do not use any of the said accounts to log on to the Windows Server 2012 Active Directory domain controller, you will not be able to block the inheritance on the child OU whatsoever.
Although you can log on to the server locally to make the changes, this approach is not at all recommended for obvious security reasons. You can instead Remote Desktop the Windows Server 2012 Active Directory domain controller to block the group policy inheritance on the target child OU.
Here is what you need to do to block group policy inheritance in Windows Server 2012 Active Directory domain controller:
- Log on to the Windows Server 2012 Active Directory domain controller with Domain Admin or Enterprise Admin account.
- If not already started, initialize the Server Manager window from the bottom left corner of the screen.
- On the opened Server Manager window, go to the Tools menu from the menu bar.
- From the displayed list, go to Group Policy Management.
![]()
- On the opened Group Policy Management snap-in, from the left pane, expand the Forest > Domain > <domain name>. (MYDOMAIN.COM for this demonstration.).
- From the expanded tree, locate the child OU on which you want to block the inheritance from the parent OU.
- Once located, click to select the target child OU.
- After selecting, right-click the child OU.
- From the displayed context menu, click the Block Inheritance option.
![]()
- Finally close the Group Policy Management snap-in.
- Initialize the Run command box by pressing Windows + R keys simultaneously.
- In the available field in the Run command box, type the GPUPDATE /FORCE command and press Enter key to update the group policy settings.

Related resources
