Skip to content

Bug: GPOs incorrectly applied when OU has "Block Inheritance" enabled #2052

New issue
New issue
Open
Open
Bug: GPOs incorrectly applied when OU has "Block Inheritance" enabled#2052
Labels
bugSomething isn't workingticketed(automation only) Ticket has been created internally for tracking
@Hackndo

Description

@Hackndo
Hackndo
opened on Nov 13, 2025

Description:

When an OU has Block Inheritance enabled, and a GPO linked to a parent OU is not Enforced, BloodHound still reports that this GPO applies to objects within the OU.
This behavior is inconsistent with how Group Policy inheritance actually works in Active Directory.

Are you intending to fix this bug?

No

Component(s) Affected:

  • Data Collector (SharpHound)
  • Other (processing / logic in graph generation)

Steps to Reproduce:

  1. In Active Directory, create an OU and enable Block Inheritance on it.
  2. Link a GPO to a parent OU or the domain level. Make sure this GPO is not Enforced.
  3. Run a SharpHound collection with -c All.
  4. Import the resulting data into BloodHound and click on the GPO
  5. Click on "Affected Objects" and then "Computers"

Expected Behavior:

BloodHound should not display that the non-enforced GPO applies to the OU (or its objects) when inheritance is blocked.

Actual Behavior:

BloodHound shows that the GPO does apply to the OU, even though Block Inheritance should prevent it.
This leads to false positives in the "Affected Objects" query on the GPO object (and "Affecting GPOs" on OU objects)

Screenshots/Code Snippets/Sample Files:

GPO example that shouldn't apply to "PROD" OU
Image

"Affecting GPOs" includes the example GPO that shouldn't apply the "PROD" OU
Image

Relationship that shouldn't exist from example GPO to "PROD" OU
Image

Environment Information:

BloodHound: 8.3.0
Collector: SharpHound 2.8.0 (binary release)
OS: Windows Server 2019

Additional Information:

N/A

Potential Solution (optional):

N/A

Related Issues:

Didn't find an existing issue for this behavior.

Contributor Checklist:

  • I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
  • I have provided clear steps to reproduce the issue.
  • I have included relevant environment information details.
  • I have attached necessary supporting documents.
  • I have checked that any JSON files I am attempting to upload to BloodHound are valid.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingticketed(automation only) Ticket has been created internally for tracking

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions