?
Solved

Simple group policy question

Posted on 2005-03-28
6
Medium Priority
?
132 Views
Last Modified: 2010-08-05
I have an OU in active directory containing only user objects (no computers) with a group policy assigned to this OU. Am I right in assuming that only settings under "User Configuration" will be applied and any settings under "Computer Configuration" will be ignored.

Since "Computer Configuration" settings are applied only at boot up, the computer does not yet know which user is going to login. When a user does actually login (and is a member of the OU specified above), are the "Computer Configuration" settings of that GP applied or only the "User Configuration" settings?

Thanks in advance
0
Comment
Question by:machealth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 14

Expert Comment

by:theruck
ID: 13650428
computer settings are related to computers and user settigns are related to users - i did not tell you any news i think :)
if you use a user setting the user can log on every computer with the settings applied.
if you use a computer setting then every user on the computer will have the same settings applied.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13650830
>>>I have an OU in active directory containing only user objects (no computers) with a group policy assigned to this OU. Am I right in assuming that only settings under "User Configuration" will be applied and any settings under "Computer Configuration" will be ignored.

You are wrong here because from server it is processed and not from client machine. Watch the magic here: -

1. Computer starts
2. The Winlogon.exe collects all GPOs to be processed to this computer.
3. It will check the ACL for this computer account for this GPO. If ACL is applied then Group Policy is applied or processed at client machine.
4. So here all the Computer Configuration settings are applied.
5. Next user logs on and then Winlogon.exe performs the same task.

So server will process all settings for the GPO but it depends on the client machine (winlogon.exe) how it process the settings in it because processing role is palyed by client machine and not server. So server will push all the settings. That's the reason sometimes we disable either User Configuration or Computer Configuration for performance.

Here one thing you need to notice if you have disabled any either User Configuration or Computer Configuration then it is not applied at all.

>>>Since "Computer Configuration" settings are applied only at boot up, the computer does not yet know which user is going to login. When a user does actually login (and is a member of the OU specified above), are the "Computer Configuration" settings of that GP applied or only the "User Configuration" settings?

This is the job of Winlogon.exe. It checks ACL on each object. When it collects GPO list from server it checks this computer account or user account for ACL. If ACL says "Read" and "Apply Group Policy" permission then it gets applied otherwise ignores.

Hope this make sense.

Thanks


0
 

Author Comment

by:machealth
ID: 13657720
Thanks for the detailed answer. However still not sure quit what you mean.

I believe ACLs are used to apply GP settings on a group by group basis? I haven't set up any ACLs for GPO objects.

So, will me "computer configuration" settings  be applied from a GPO on a OU that contains only users. Is this how it works:

1) computer boots and looks for any GPOs applying to the computer object in AD (for which I have none). Hence, no "computer configuration" settings are applied.

2) User logons on who is a member of an OU. The OU's GPO is then applied, but only the "User Configuration" settings (or are the "Computer Configuration" settings for this GPO applied now???, I though "Computer Configuration" settings were only applied during bootup not login).

Thanks for your help :)
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 8

Expert Comment

by:Leandro Iacono
ID: 13666743
I am studying for 070-217 .. and as I see it ... you are correct ...

Only the User Configurations will be applied ... The computer Configurations are taken from the GP where the Computer Object is located ...

If not GPO is linked to it .. then the Default GP from the Domain is applied ...

At least thats how I see it, and studied it and stuff ...
0
 
LVL 8

Accepted Solution

by:
Leandro Iacono earned 750 total points
ID: 13676708
As stated by microsoft ... in the 2154 Course ...

http://img85.exs.cx/img85/1879/gpapply5oy.jpg

I know loopback does not apply to your question, but in the second paragraph you have a clear explanation of how policys are applied depending on where the user/computer is .... by default.

Loopback strictly applies User and Computer Configuration in the OU the Computer is, avoiding the GP linked to the user no matter where the user is....

You'll find a better explanation in the picture.

In conclusion, as you said .. by default ... user settings will be applied to users whos GP is linked to them, and the computer GP will be applied to the Computer which is linked to it ...

Good luck...
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13679976
I am out of office and can't post. Will post on monday.

Thanks
SystmProg
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question