?
Solved

Gpedit.msc

Posted on 2009-12-30
13
Medium Priority
?
819 Views
Last Modified: 2013-12-04
Hey Guys,

I am a bit bit confused about gpedit.msc.

If I do any changes from start>>run>>gpeit.msc

And create a new policy on a OU (Under properties>>group policy tab) from AD.

Which one takes effect on the user etc.
Can you please explain how that works.

Also for example if I want the user to automatically logoff after logon hours. Where would I make that change, on the OU properties or run>>gpedit.msc

Thanks
0
Comment
Question by:Shivtek
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 26147394
So if you are on a machine and use gpedit and make that change that is a local policy.  
Group policies are applied using the LSDOU principle
So applied in this order
  • Local
  • Site
  • Domain
  • OU
More on LSDOU here  http://technet.microsoft.com/en-us/library/dd277394.aspx
The policy set locally will apply but if you have that same policy set at the higher levels they will apply and "win".   If you set the policy locally and it is not set at a higher level then the local policy will apply.
We set most of our policies at the domain or OU level.
Thanks
Mike
0
 
LVL 1

Author Comment

by:Shivtek
ID: 26147435
This was very good!!!

So if I make any changes from gpedit and not do anything on the OU. GPEDIT will apply.

But if on a OU I enter another policy. That specific policy will apply. Does that policy have the settings made in gpedit ? or its all default?

Please clarify what I understand is right.
Thanks
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 500 total points
ID: 26147436
If you have not already downloaded the Group Policy Management Console with Service Pack 1, may I suggest you do so?  It makes GPO management much easier:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Justin
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 6

Expert Comment

by:Vaidas911
ID: 26147438
Create OU for computers and users, and create policies for those OU. GPO will work for specified OU, and if there are only users in particular OU, only users GPO settings will apply.
0
 
LVL 1

Author Comment

by:Shivtek
ID: 26147492
I had installed GPO sp1 already.

So when a policy is created under a OU, It wont pick the changes already made in gpedit?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 26147518
  • So if I make any changes from gpedit and not do anything on the OU. GPEDIT will apply.
Yes if you make a change locally and have no other GPO's at the site, domain, or OU level setting the same thing then that will apply.


  • But if on a OU I enter another policy. That specific policy will apply. Does that policy have the settings made in gpedit ? or its all default?
Yes if at the OU level you set the value of the same setting to something different that will win.  That policy will not have the settings made locally in gpedit.  A new policy starts with nothing set/default.
Thanks
mike

0
 
LVL 1

Author Comment

by:Shivtek
ID: 26147560
Mike that answered my question to the best.
0
 
LVL 6

Assisted Solution

by:Vaidas911
Vaidas911 earned 500 total points
ID: 26147567
gpedit is just console, a tool for you to add GPO (Group policy object). Those object apply under sertain OU (organizational units). Create as many OU as you want to separate computers and users with different policies and create those policies (GPO) under those OU.
0
 
LVL 1

Author Comment

by:Shivtek
ID: 26147584
Currently I have setup each user to be a local admin for their computers...and that allows them to do whatever they want on the c:.

Is that a wise thing to do?
0
 
LVL 6

Expert Comment

by:Vaidas911
ID: 26147731
Giving admin permisions is not the smartest thing, but you know what you have to do.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 26147751
Wise or not wise. Depends on what side you sits on :)

Users hates being restricted and management hate to let the emploess mess things up that affects their productivity.

Making them all local admins might be a risk according to viruses and getting junk installed on their (the company's) PC.
0
 
LVL 1

Author Comment

by:Shivtek
ID: 26148018
I am only trying to do this so they save important stuff on their user shares...so that its safe...as servers are always backed up.
0
 
LVL 6

Expert Comment

by:Vaidas911
ID: 26148365
Admin rigths in local computer can cost company a lot, if users install not licensed software (CADs or other). Also it might become a gaming computer with fun stuff in it, and management doesn't like it very much.
If you have smart enough users, create the restricted user (regular domain user) for everyday work, and give them a password of local administrator, in case they will need minor changes. Computers will be more safe, and you will be more of a friend to users.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question