Inherit GPO


A Source linkable container such as an Organizational Unit (OU) or Domain – but not Sites – contains the Target OU, User, Device, DC, or Read-Only Domain Controller (RODC) in the LDAP tree. This is because the children objects of the linkable container inherit the GPO where it is linked (see "Linked GPO" relations).

Tenable Identity Exposure takes into account whenever an OU blocks inheritance.


Attackers have nothing to do to exploit this relation as long as they manage to compromise the GPO upstream in the attack path. By design, the relation applies to linkable containers and objects below them, as shown by Inherit GPO relations.


In most cases, it is normal and legitimate for GPOs to apply to linkable children containers from their parent containers. However, this linkage exposes additional attack paths.

Therefore, in order to reduce risks, you should link GPOs to the lowest level in the organizational units hierarchy, whenever possible.

Moreover, GPOs require protection from unauthorized modifications by attackers, in order not to expose them to other attack relations.

Finally, OUs can disable GPO inheritance from higher levels through their "block inheritance" option. However, use this option only as a last resort because it blocks all GPOs -- including the potential security hardening GPOs defined at the highest domain level. It also makes the reasoning about applied GPOs more difficult.

See also