PlazaProp
asked on
How are Group Policies applied via Active Directory
Our network is a W2K AD structure. I use AD and Group Policies (GP) to manage users and computers. However, I am a little confused about the how policies are applied to objects. I understand the order of how policies are applied. Let me give an example.
In one OU I have the computer object of our terminal server. In another OU (not sub of previous) I have all the users. I have a script that runs at login, which is defined under the "user" section of the GP. I want this script to run only when users log on on the terminal server and not any local workstations (which are defined in a different OU). If I put the GP in the terminal sever OU the script does not run. If i put the script in the users OU then the script runs, but on any computer they log on to. I tried to specify the users and computers the GP applies to using the Security Filtering, but didn't help. So, I am a little confused as to the security filtering if I have to apply the GP to the OU the user is in.
AD layout
Domains
|---local domain
|--- Office OU
|--- Users OU
|--- user 1
|--- user 2
|--- Workstations OU
|--- computer 1
|--- computer 2
|---Servers OU
|--- Terminal Server OU
|--- terminal server
I have tried to look for a some "not so Microsoft" explanations but haven't found any. Maybe I am using OU's and objects incorrectly. Maybe I should be leaving users in the default users folder and then placing groups in the other OU's ? How can I create one policy that defines both Computer and User settings and apply it to the correct users and computers. It seems that when I create a policy, I should only specify user settings or computers settings and then apply them to the appropriate OU? But then this puts me back to my current issue.
I use the GPMC on my XP workstation to manage the AD and GPO's.
Can anyone better explain AD and GPO or at least provide a link to a better explanation than MS mumbo jumbo?
Maybe some pictures, pop-ups, coloring areas and mazes. LOL. Just kidding, but pictures would be nice.
In one OU I have the computer object of our terminal server. In another OU (not sub of previous) I have all the users. I have a script that runs at login, which is defined under the "user" section of the GP. I want this script to run only when users log on on the terminal server and not any local workstations (which are defined in a different OU). If I put the GP in the terminal sever OU the script does not run. If i put the script in the users OU then the script runs, but on any computer they log on to. I tried to specify the users and computers the GP applies to using the Security Filtering, but didn't help. So, I am a little confused as to the security filtering if I have to apply the GP to the OU the user is in.
AD layout
Domains
|---local domain
|--- Office OU
|--- Users OU
|--- user 1
|--- user 2
|--- Workstations OU
|--- computer 1
|--- computer 2
|---Servers OU
|--- Terminal Server OU
|--- terminal server
I have tried to look for a some "not so Microsoft" explanations but haven't found any. Maybe I am using OU's and objects incorrectly. Maybe I should be leaving users in the default users folder and then placing groups in the other OU's ? How can I create one policy that defines both Computer and User settings and apply it to the correct users and computers. It seems that when I create a policy, I should only specify user settings or computers settings and then apply them to the appropriate OU? But then this puts me back to my current issue.
I use the GPMC on my XP workstation to manage the AD and GPO's.
Can anyone better explain AD and GPO or at least provide a link to a better explanation than MS mumbo jumbo?
Maybe some pictures, pop-ups, coloring areas and mazes. LOL. Just kidding, but pictures would be nice.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does the loopback setting only apply to that specific GPO or does it affect all GPO's applied to the OU?
Do you have any more links that better explain GPO with AD?
Thanks again,
Jeff
Do you have any more links that better explain GPO with AD?
Thanks again,
Jeff
The loopback setting will affect every machine underneath that OU. What a lot of people do is put their terminal server and citrix boxes in a separate OU and those get the loopback setting on.
One place I'd start with more info on group policy is MVP Darren Mar-Elia's site
http://www.gpoguy.com/
Another really great training resource are the group policy virtual labs
http://technet.microsoft.c om/en-us/v irtuallabs /bb539981. aspx
Lots of great labs on group policy there
One place I'd start with more info on group policy is MVP Darren Mar-Elia's site
http://www.gpoguy.com/
Another really great training resource are the group policy virtual labs
http://technet.microsoft.c
Lots of great labs on group policy there
ASKER
Thanks. I will check em out.
ASKER