ryansta
asked on
AD user/computer policy confusion
What is the difference and precedence/priority for policies attached to users versus those attached to computers. Our AD has a 'computers' OU and a 'users' OU, I'm confused about which take precedence? If you want all student's to not be able to change the desktop (for example), do you do that for the policy attached to the computer's OU or the user's OU? Or both?
And to anwer your question directly :-) .........you would put the students in one ou, apply your desktop policy to them at the ou level.........but leave teachers and staff in the "users" ou with no policies restricting thier desktops......unless you want to annoy *everyone*, of course...........
ASKER
so if a user is a member of OU X, and they logon to OU Y... does their X policy go into effect or the Y policy of the computer?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Answered, in more detail than asked for.
Similarly, if you want to apply policy to a computer...ie all users logging into that machine.....you can also do so for all computers at the "computers" OU level or you can put some machines (for instance, the accounting dept machines) in thier own OU and apply policy just to them.
The main difference is.....do I want to apply the policy to all users who log into particular machines.....in which case you would apply the policy to computers rather than users
or
do I want to apply the policy to particular users, no matter which machine they log in to......in which case you would apply the policy to the users
Note that some policy settings only apply to computers and some settings only apply to users.