Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 133
  • Last Modified:

Simple group policy question

I have an OU in active directory containing only user objects (no computers) with a group policy assigned to this OU. Am I right in assuming that only settings under "User Configuration" will be applied and any settings under "Computer Configuration" will be ignored.

Since "Computer Configuration" settings are applied only at boot up, the computer does not yet know which user is going to login. When a user does actually login (and is a member of the OU specified above), are the "Computer Configuration" settings of that GP applied or only the "User Configuration" settings?

Thanks in advance
0
machealth
Asked:
machealth
1 Solution
 
theruckCommented:
computer settings are related to computers and user settigns are related to users - i did not tell you any news i think :)
if you use a user setting the user can log on every computer with the settings applied.
if you use a computer setting then every user on the computer will have the same settings applied.
0
 
Nirmal SharmaSolution ArchitectCommented:
>>>I have an OU in active directory containing only user objects (no computers) with a group policy assigned to this OU. Am I right in assuming that only settings under "User Configuration" will be applied and any settings under "Computer Configuration" will be ignored.

You are wrong here because from server it is processed and not from client machine. Watch the magic here: -

1. Computer starts
2. The Winlogon.exe collects all GPOs to be processed to this computer.
3. It will check the ACL for this computer account for this GPO. If ACL is applied then Group Policy is applied or processed at client machine.
4. So here all the Computer Configuration settings are applied.
5. Next user logs on and then Winlogon.exe performs the same task.

So server will process all settings for the GPO but it depends on the client machine (winlogon.exe) how it process the settings in it because processing role is palyed by client machine and not server. So server will push all the settings. That's the reason sometimes we disable either User Configuration or Computer Configuration for performance.

Here one thing you need to notice if you have disabled any either User Configuration or Computer Configuration then it is not applied at all.

>>>Since "Computer Configuration" settings are applied only at boot up, the computer does not yet know which user is going to login. When a user does actually login (and is a member of the OU specified above), are the "Computer Configuration" settings of that GP applied or only the "User Configuration" settings?

This is the job of Winlogon.exe. It checks ACL on each object. When it collects GPO list from server it checks this computer account or user account for ACL. If ACL says "Read" and "Apply Group Policy" permission then it gets applied otherwise ignores.

Hope this make sense.

Thanks


0
 
machealthAuthor Commented:
Thanks for the detailed answer. However still not sure quit what you mean.

I believe ACLs are used to apply GP settings on a group by group basis? I haven't set up any ACLs for GPO objects.

So, will me "computer configuration" settings  be applied from a GPO on a OU that contains only users. Is this how it works:

1) computer boots and looks for any GPOs applying to the computer object in AD (for which I have none). Hence, no "computer configuration" settings are applied.

2) User logons on who is a member of an OU. The OU's GPO is then applied, but only the "User Configuration" settings (or are the "Computer Configuration" settings for this GPO applied now???, I though "Computer Configuration" settings were only applied during bootup not login).

Thanks for your help :)
0
Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

 
Leandro IaconoSenior Premier Field EngineerCommented:
I am studying for 070-217 .. and as I see it ... you are correct ...

Only the User Configurations will be applied ... The computer Configurations are taken from the GP where the Computer Object is located ...

If not GPO is linked to it .. then the Default GP from the Domain is applied ...

At least thats how I see it, and studied it and stuff ...
0
 
Leandro IaconoSenior Premier Field EngineerCommented:
As stated by microsoft ... in the 2154 Course ...

http://img85.exs.cx/img85/1879/gpapply5oy.jpg

I know loopback does not apply to your question, but in the second paragraph you have a clear explanation of how policys are applied depending on where the user/computer is .... by default.

Loopback strictly applies User and Computer Configuration in the OU the Computer is, avoiding the GP linked to the user no matter where the user is....

You'll find a better explanation in the picture.

In conclusion, as you said .. by default ... user settings will be applied to users whos GP is linked to them, and the computer GP will be applied to the Computer which is linked to it ...

Good luck...
0
 
Nirmal SharmaSolution ArchitectCommented:
I am out of office and can't post. Will post on monday.

Thanks
SystmProg
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now