Active Directory Group Policy precedence: you have delegated administration of the Michigan and Florida OUs, but you want your Default Domain Policy settings to remain authoritative so OU admins cannot override them with conflicting GPOs. What should you configure?

Introduction / Context:
Group Policy Objects (GPOs) apply in the order: Local → Site → Domain → OU (child last). Child GPOs can normally override parent settings, unless the parent link is marked No Override (called Enforced in newer tools). The requirement is to ensure domain-level settings remain effective even when OU administrators create their own GPOs.

Given Data / Assumptions:

• Default Domain Policy holds the authoritative settings.
• Michigan and Florida OUs have delegated admin rights.
• You need to prevent overrides of domain policy within those OUs.

Concept / Approach:

Setting No Override (Enforced) on the domain-linked GPO ensures its settings cannot be superseded by child OU GPOs. Blocking inheritance at the OU would do the opposite (it would block domain policies), which is not desired. Applying No Override at the OU level does not affect parent policies.

Step-by-Step Solution:

Verification / Alternative check:

Create a conflicting setting in an OU-level test GPO; RSoP should show the domain enforced setting winning.

Why Other Options Are Wrong:

OU No Override: Does not protect domain GPOs from being overridden.

Block inheritance at domain: Not a valid concept; inheritance blocks are set on child containers.

Block inheritance at OUs: Would block the domain policy rather than protect it.

None: A definite correct configuration exists.

Common Pitfalls:

Confusing Block Inheritance with No Override; misplacing the Enforced flag on the wrong link.

Final Answer:

In the contoso.local domain, set the GPO link option to No Override (Enforced)