I am trying to configure a domain policy such that the default policy is applied to most machines with a few exceptions. We use "Local Users and Groups" under Preferences > Control Panel Settings in the default domain policy to push down users from a different Forest as Admins/Users/Other Groups on the machines that fall under this policy. I would like to continue doing this at the default policy level, but have an OU with different users and groups pushed down to specific machines.
So far, I've found that configuration of the OU policy appears to be easier if I do not Block Inheritance - this way I can change just a few policies on the OU, which override the default policy and then the rest of the default policy will be pushed down to machines under the OU. However, if I do not block inheritance, ALL users and groups at the default level get pushed down to the OU machines. Is there any way besides blocking inheritance of default policies to prevent this?