?
Solved

AD user/computer policy confusion

Posted on 2003-11-06
6
Medium Priority
?
166 Views
Last Modified: 2011-09-20
What is the difference and precedence/priority for policies attached to users versus those attached to computers. Our AD has a 'computers' OU and a 'users' OU, I'm confused about which take precedence? If you want all student's to not be able to change the desktop (for example), do you do that for the policy attached to the computer's OU or the user's OU? Or both?
0
Comment
Question by:ryansta
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 18

Expert Comment

by:JConchie
ID: 9697785
If you want all students........as opposed to all users........to have a particular policy, you would put those user's in their own OU and enable the settings in the group policy object associated with that OU.....if you want to apply to all users, you would set the policy at the domain level.

Similarly, if you want to apply policy to a computer...ie all users logging into that machine.....you can also do so for all computers at the "computers" OU level or you can put some machines (for instance, the accounting dept machines) in thier own OU and apply policy just to them.

The main difference is.....do I want to apply the policy to all users who log into particular machines.....in which case you would apply the policy to computers rather than users
or
do I want to apply the policy to particular users, no matter which machine they log in to......in which case you would apply the policy to the users

Note that some policy settings only apply to computers and some settings only apply to users.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 9697812
And to anwer your question directly :-)   .........you would put the students in one ou, apply your desktop policy to them at the ou level.........but leave teachers and staff in the "users" ou with no policies restricting thier desktops......unless you want to annoy *everyone*, of course...........
0
 

Author Comment

by:ryansta
ID: 9697852
so if a user is a member of OU X, and they logon to OU Y... does their X policy go into effect or the Y policy of the computer?
0
 
LVL 18

Accepted Solution

by:
JConchie earned 1244 total points
ID: 9697921
Both policies are read........as is the domain level policy.....and all are applied.......if there is a conflict between policies there are rules which decide which policy will apply;

This is a quote from an introduction to group policy at:
http://www.microsoft.com/technet/treeview/default.aspurl=/technet/columns/profwin/pw0502.asp

"Understand that the legacy system policies (ntconfig.pol) always run first for down-level clients (pre-Windows 2000). Windows 2000 and above clients process Local policies first, then Site, Domain and OU policies. A possible way to remember this sequence is the LSD-O acronym.
The last policy that runs always wins. Policies are cumulative, and the last one that runs (typically the OU policy) will win, unless you use the No Override switch on top-level policies. "
0
 
LVL 18

Expert Comment

by:JConchie
ID: 10044603
Answered, in more detail than asked for.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Introducing Priority Question, our latest feature.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month11 days, 12 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question