machealth
asked on
Simple group policy question
I have an OU in active directory containing only user objects (no computers) with a group policy assigned to this OU. Am I right in assuming that only settings under "User Configuration" will be applied and any settings under "Computer Configuration" will be ignored.
Since "Computer Configuration" settings are applied only at boot up, the computer does not yet know which user is going to login. When a user does actually login (and is a member of the OU specified above), are the "Computer Configuration" settings of that GP applied or only the "User Configuration" settings?
Thanks in advance
Since "Computer Configuration" settings are applied only at boot up, the computer does not yet know which user is going to login. When a user does actually login (and is a member of the OU specified above), are the "Computer Configuration" settings of that GP applied or only the "User Configuration" settings?
Thanks in advance
>>>I have an OU in active directory containing only user objects (no computers) with a group policy assigned to this OU. Am I right in assuming that only settings under "User Configuration" will be applied and any settings under "Computer Configuration" will be ignored.
You are wrong here because from server it is processed and not from client machine. Watch the magic here: -
1. Computer starts
2. The Winlogon.exe collects all GPOs to be processed to this computer.
3. It will check the ACL for this computer account for this GPO. If ACL is applied then Group Policy is applied or processed at client machine.
4. So here all the Computer Configuration settings are applied.
5. Next user logs on and then Winlogon.exe performs the same task.
So server will process all settings for the GPO but it depends on the client machine (winlogon.exe) how it process the settings in it because processing role is palyed by client machine and not server. So server will push all the settings. That's the reason sometimes we disable either User Configuration or Computer Configuration for performance.
Here one thing you need to notice if you have disabled any either User Configuration or Computer Configuration then it is not applied at all.
>>>Since "Computer Configuration" settings are applied only at boot up, the computer does not yet know which user is going to login. When a user does actually login (and is a member of the OU specified above), are the "Computer Configuration" settings of that GP applied or only the "User Configuration" settings?
This is the job of Winlogon.exe. It checks ACL on each object. When it collects GPO list from server it checks this computer account or user account for ACL. If ACL says "Read" and "Apply Group Policy" permission then it gets applied otherwise ignores.
Hope this make sense.
Thanks
You are wrong here because from server it is processed and not from client machine. Watch the magic here: -
1. Computer starts
2. The Winlogon.exe collects all GPOs to be processed to this computer.
3. It will check the ACL for this computer account for this GPO. If ACL is applied then Group Policy is applied or processed at client machine.
4. So here all the Computer Configuration settings are applied.
5. Next user logs on and then Winlogon.exe performs the same task.
So server will process all settings for the GPO but it depends on the client machine (winlogon.exe) how it process the settings in it because processing role is palyed by client machine and not server. So server will push all the settings. That's the reason sometimes we disable either User Configuration or Computer Configuration for performance.
Here one thing you need to notice if you have disabled any either User Configuration or Computer Configuration then it is not applied at all.
>>>Since "Computer Configuration" settings are applied only at boot up, the computer does not yet know which user is going to login. When a user does actually login (and is a member of the OU specified above), are the "Computer Configuration" settings of that GP applied or only the "User Configuration" settings?
This is the job of Winlogon.exe. It checks ACL on each object. When it collects GPO list from server it checks this computer account or user account for ACL. If ACL says "Read" and "Apply Group Policy" permission then it gets applied otherwise ignores.
Hope this make sense.
Thanks
ASKER
Thanks for the detailed answer. However still not sure quit what you mean.
I believe ACLs are used to apply GP settings on a group by group basis? I haven't set up any ACLs for GPO objects.
So, will me "computer configuration" settings be applied from a GPO on a OU that contains only users. Is this how it works:
1) computer boots and looks for any GPOs applying to the computer object in AD (for which I have none). Hence, no "computer configuration" settings are applied.
2) User logons on who is a member of an OU. The OU's GPO is then applied, but only the "User Configuration" settings (or are the "Computer Configuration" settings for this GPO applied now???, I though "Computer Configuration" settings were only applied during bootup not login).
Thanks for your help :)
I believe ACLs are used to apply GP settings on a group by group basis? I haven't set up any ACLs for GPO objects.
So, will me "computer configuration" settings be applied from a GPO on a OU that contains only users. Is this how it works:
1) computer boots and looks for any GPOs applying to the computer object in AD (for which I have none). Hence, no "computer configuration" settings are applied.
2) User logons on who is a member of an OU. The OU's GPO is then applied, but only the "User Configuration" settings (or are the "Computer Configuration" settings for this GPO applied now???, I though "Computer Configuration" settings were only applied during bootup not login).
Thanks for your help :)
I am studying for 070-217 .. and as I see it ... you are correct ...
Only the User Configurations will be applied ... The computer Configurations are taken from the GP where the Computer Object is located ...
If not GPO is linked to it .. then the Default GP from the Domain is applied ...
At least thats how I see it, and studied it and stuff ...
Only the User Configurations will be applied ... The computer Configurations are taken from the GP where the Computer Object is located ...
If not GPO is linked to it .. then the Default GP from the Domain is applied ...
At least thats how I see it, and studied it and stuff ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am out of office and can't post. Will post on monday.
Thanks
SystmProg
Thanks
SystmProg
if you use a user setting the user can log on every computer with the settings applied.
if you use a computer setting then every user on the computer will have the same settings applied.