How are Group Policies applied via Active Directory

Our network is a W2K AD structure.  I use AD and Group Policies (GP) to manage users and computers.  However, I am a little confused about the how policies are applied to objects.  I understand the order of how policies are applied.  Let me give an example.  

In one OU I have the computer object of our terminal server.  In another OU (not sub of previous) I have all the users.  I have a script that runs at login, which is defined under the "user" section of the GP.  I want this script to run only when users log on on the terminal server and not any local workstations (which are defined in a different OU).  If I put the GP in the terminal sever OU the script does not run.  If i put the script in the users OU then the script runs, but on any computer they log on to.  I tried to specify the users and computers the GP applies to using the Security Filtering, but didn't help.  So, I am a little confused as to the security filtering if I have to apply the GP to the OU the user is in.  

AD layout

      |---local domain
              |--- Office OU
                        |--- Users OU
                                   |--- user 1
                                   |--- user 2
                        |---  Workstations OU
                                  |--- computer 1
                                  |--- computer 2
               |---Servers OU
                        |--- Terminal Server OU
                                 |--- terminal server

I have tried to look for a some "not so Microsoft" explanations but haven't found any. Maybe I am using OU's and objects incorrectly.  Maybe I should be leaving users in the default users folder and then placing groups in the other OU's ?  How can I create one policy that defines both Computer and User settings and apply it to the correct users and computers.  It seems that when I create a policy, I should only specify user settings or computers settings and then apply them to the appropriate OU?  But then this puts me back to my current issue.

I use the GPMC on my XP workstation to manage the AD and GPO's.

Can anyone better explain AD and GPO or at least provide a link to a better explanation than MS mumbo jumbo?

Maybe some pictures, pop-ups, coloring areas and mazes. LOL.  Just kidding, but pictures would be nice.
Who is Participating?
Mike KlineConnect With a Mentor Commented:
So you want user GP settings to apply to only one computer.
The way to do this is to use loopback processing.  GP MVP Darren Mar-Elia has a really good explanation of that here
You would create a GPO that applies to the TS server that turns on loopback and then you can apply the user scripts to that GPO too and they should only apply to that TS server.
It won't run on their normal workstations just the TS box.
Let me know if that helps
PlazaPropAuthor Commented:
Thank you.  Your answer provided exactly the answer that I needed for the particular task at hand.  However, do you have any more links that better explain GPO with AD?  Also, does the loopback setting only apply to that specific GPO or does it affect all GPO's applied to the OU?
PlazaPropAuthor Commented:
Does the loopback setting only apply to that specific GPO or does it affect all GPO's applied to the OU?
Do you have any more links that better explain GPO with AD?

Thanks again,

Mike KlineCommented:
The loopback setting will affect every machine underneath that OU.  What a lot of people do is put their terminal server and citrix boxes in a separate OU and those get the loopback setting on.
One place I'd start with more info on group policy is MVP Darren Mar-Elia's site
Another really great training resource are the group policy virtual labs
Lots of great labs on group policy there
PlazaPropAuthor Commented:
Thanks.  I will check em out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.