AD user/computer policy confusion

What is the difference and precedence/priority for policies attached to users versus those attached to computers. Our AD has a 'computers' OU and a 'users' OU, I'm confused about which take precedence? If you want all student's to not be able to change the desktop (for example), do you do that for the policy attached to the computer's OU or the user's OU? Or both?
ryanstaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JConchieCommented:
If you want all students........as opposed to all users........to have a particular policy, you would put those user's in their own OU and enable the settings in the group policy object associated with that OU.....if you want to apply to all users, you would set the policy at the domain level.

Similarly, if you want to apply policy to a computer...ie all users logging into that machine.....you can also do so for all computers at the "computers" OU level or you can put some machines (for instance, the accounting dept machines) in thier own OU and apply policy just to them.

The main difference is.....do I want to apply the policy to all users who log into particular machines.....in which case you would apply the policy to computers rather than users
or
do I want to apply the policy to particular users, no matter which machine they log in to......in which case you would apply the policy to the users

Note that some policy settings only apply to computers and some settings only apply to users.
0
JConchieCommented:
And to anwer your question directly :-)   .........you would put the students in one ou, apply your desktop policy to them at the ou level.........but leave teachers and staff in the "users" ou with no policies restricting thier desktops......unless you want to annoy *everyone*, of course...........
0
ryanstaAuthor Commented:
so if a user is a member of OU X, and they logon to OU Y... does their X policy go into effect or the Y policy of the computer?
0
JConchieCommented:
Both policies are read........as is the domain level policy.....and all are applied.......if there is a conflict between policies there are rules which decide which policy will apply;

This is a quote from an introduction to group policy at:
http://www.microsoft.com/technet/treeview/default.aspurl=/technet/columns/profwin/pw0502.asp

"Understand that the legacy system policies (ntconfig.pol) always run first for down-level clients (pre-Windows 2000). Windows 2000 and above clients process Local policies first, then Site, Domain and OU policies. A possible way to remember this sequence is the LSD-O acronym.
The last policy that runs always wins. Policies are cumulative, and the last one that runs (typically the OU policy) will win, unless you use the No Override switch on top-level policies. "
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JConchieCommented:
Answered, in more detail than asked for.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.