How are Group Policies applied via Active Directory
Posted on 2009-02-18
Our network is a W2K AD structure. I use AD and Group Policies (GP) to manage users and computers. However, I am a little confused about the how policies are applied to objects. I understand the order of how policies are applied. Let me give an example.
In one OU I have the computer object of our terminal server. In another OU (not sub of previous) I have all the users. I have a script that runs at login, which is defined under the "user" section of the GP. I want this script to run only when users log on on the terminal server and not any local workstations (which are defined in a different OU). If I put the GP in the terminal sever OU the script does not run. If i put the script in the users OU then the script runs, but on any computer they log on to. I tried to specify the users and computers the GP applies to using the Security Filtering, but didn't help. So, I am a little confused as to the security filtering if I have to apply the GP to the OU the user is in.
|--- Office OU
|--- Users OU
|--- user 1
|--- user 2
|--- Workstations OU
|--- computer 1
|--- computer 2
|--- Terminal Server OU
|--- terminal server
I have tried to look for a some "not so Microsoft" explanations but haven't found any. Maybe I am using OU's and objects incorrectly. Maybe I should be leaving users in the default users folder and then placing groups in the other OU's ? How can I create one policy that defines both Computer and User settings and apply it to the correct users and computers. It seems that when I create a policy, I should only specify user settings or computers settings and then apply them to the appropriate OU? But then this puts me back to my current issue.
I use the GPMC on my XP workstation to manage the AD and GPO's.
Can anyone better explain AD and GPO or at least provide a link to a better explanation than MS mumbo jumbo?
Maybe some pictures, pop-ups, coloring areas and mazes. LOL. Just kidding, but pictures would be nice.