Group Policy – Disabled SOM – ?

I implemented SCCM 2012 for a client a last week and, as per our usual process, implemented an SCCM client health check script which runs as part of a computer start up script in a group policy object.

Came back after a few days – nothing had updated…. “odd” I thought…. but this client had some APPV clients that were still RTM, not SP1 as required for SCCM 2012 and also had disabled vbscript via an archaic method previously…. but the fixed for them seemed to be working.

After running RSOP (server side) and gpresult (client side) – I was getting “disabled SOM” as the reason my GPO was being denied…. never heard of that one before….

turned out, disabled SOM means “Disabled scope of management” and is commonly caused by using block inheritance in group policy…. as regular readers may know – I hate block inheritance… I think it is generally used poorly.

In this case, I was applying a site based policy – and someone had enable block inheritance at the domain level…. (which i’d never seen before)…. because sites are considered to be “above” the domain…. it meant site-linked policies were blocked.. got rid of the block – all was good.

Anyhoo – I thought that was both an odd and interesting one…. one that i’d never seen before and probably never will again!