When building group policys.....

Hi Guys,

i'm looking to add some group policys to lock down client machines, and try and prolong the "breaking" process. Anyway, i'm a little unclear about how group policys work, and was hoping for some explanations.

I have 50 users in the company, and each user has their own machine. I have put all the users that i want to be locked down in there own OU, but i haven't put all their computers in there own OU? should i do this?

also, when i go to edit the policy, it's split into 2 section, "computer configuration" and "user configuration". which one do i need to use? and should i assign these policys the my group of users, or to their machines?

sorry if it seems like a really stupid question.

Thanks, Gavin
Who is Participating?
Debsyl99Connect With a Mentor Commented:
Hi Gavin5511,
Generally you build an active directory structure to best meet your needs in terms of your company structure. I generally have an OU for each geographical office - with this divided into sub OU's for users and computers. User configuration appliess to users - computer configuration applies to computers. You're right in so far that your computers will also need to be in an OU with the computer policy attached - and permissions will need to be set for domain computers to read and apply the policy linked to that OU.

Deb :))
Debsyl99Connect With a Mentor Commented:
As you're running windows 2k3 server you can make use of the GPMC. What workstations are you running?
Group Policy Management Console (GPMC)

Deb :))
Jay_Jay70Connect With a Mentor Commented:
Hi Gavin5511,

couldn't really put it any better than Deb has

by default the group policies will have the correct permissions to apply to users and computer depending which way you go.

as Deb said   user settings apply just to users and computer settings just to computers     this means that if you have a user and computer in the same OU, the policy looks after itself

remember last policy applied wins

LSDOU is the rule for policies

Organisational Unit

if you have an OU nested within an OU   the last applied wins

just a useful tip depending on your AD structure....
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Gavin5511Author Commented:
ok, so am i right in sayin, that if i want to add a policy to a computer (and for everyone that uses the computer) i would just touch the "computer configuration" in the computer OU?

what happens if i set a "user configuration" policy on an OU of computers? and vice versa?
"ok, so am i right in sayin, that if i want to add a policy to a computer (and for everyone that uses the computer) i would just touch the "computer configuration" in the computer OU?" - Yes

"what happens if i set a "user configuration" policy on an OU of computers? and vice versa? "- Nothing - unless there are users also in that OU - in which case the user configuration policy will apply to them.

If you want a separate OU for users and another for computers - that's fine - you can just disable the unused computer or user configuration part of the policy as it prevents uneccessary policy processing. If you want to set one policy for one OU that appliess to bothe users and computers then you can do  that too. You just need to set both computer and user policies and ensure that the users and computers are all in that OU and both domain users and domain computers have read and apply group policy rights to that linked policy.
for admin purposes i find it a lot easier to put computers and users in different OU's - this is just an personal opinion though

Just to add to the advice already given, you can apply user configuration policies to a "computer OU" using loopback processing:  http://support.microsoft.com/?id=231287

This would be useful for instance in a classroom environment where you want a particular user config to happen for anyone that uses those particular computers.
BTW, it sounds like you are basically confused between computer and user configs.

By default (negating loopback processing) you apply a GPO to an OU and let's say you set nothing but computer configuration changes.  Any (by default) computers in that OU and Sub-OUs will get those config changes.  Computer accounts NOT in that OU (either higher up in AD or in a separate OU at the same level) won't get those configuration changes.

Same for users and user configs.

Again, that's by default...

The different sections (computer and user) are based on who/what you want to manipulate.  Anything in the computer section takes place for that computer and anyone that logs on.  However, lots of the configuration options for a "user" aren't in the computer section, and vice versa.  You'll see this as you poke around in a test OU and test GPO.

Loopback processing allows you to have an OU of just computer accounts, but allow you to apply User config settings to it.  That's the non-default way and is really used in special circumstances like I've said above.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.