Share via

Azure Local Deployment

Sud 0 Reputation points
2025-10-03T03:44:31.08+00:00

we r planning to deploy single node Azure local, want to confirm if new OU to be created can be part of GPO inheritance ?

Azure Local

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jilakara Hemalatha 6,055 Reputation points Microsoft External Staff Moderator
    2025-10-03T06:40:43.9166667+00:00

    Hi Sud,

    Thank you for posting your question on Q/A.

    By default, any new OU in Active Directory inherits GPOs from its parent OUs. However, for a stable and compliant Azure Local deployment, Microsoft explicitly recommends creating a dedicated OU for the cluster's computer objects and blocking GPO inheritance for that OU. This ensures that enterprise-wide policies do not interfere with the mandatory security and lifecycle settings managed by Azure Local.

    Recommendations:

    • Ensure the parent OU has the necessary GPOs linked and permissions configured correctly.
    • Enable Block Inheritance on the new OU for your Azure Local instance.
    • Verify that the OU and delegated users (e.g., the LCM account) have permissions aligned with Azure Local deployment requirements.
    • Be aware that enforced GPOs still apply even if inheritance is blocked; you can use WMI filters to exclude Azure Local computer accounts if needed.

    User's image

    For detailed steps and guidance, please refer to Microsoft’s official documentation:

    Prepare Active Directory for Azure Local deployment

    Configure custom Active Directory settings for Azure Local

    If the answer is helpful, please click "Accept Answer" and "Upvote it". Please let me know if you have any queries in comments.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.