Re: GP Policy setup

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 10/25/04 

Date: Mon, 25 Oct 2004 12:13:22 -0400

Adam,

Glad that you understand this a bit better now and that things are working.
This is a very involved technology but is really quite simple ( er, did I
just jinx myself? ) once you get the hang of it. Deploying software via GPO
is a really great thing!

Cary

"stopnowgo" <stopnowgo@discussions.microsoft.com> wrote in message
news:ABDA5AAF-188B-4E7F-81D9-4DC1218F974D@microsoft.com...
> Cary,
>
> Thanks for all the info. I figured out that there were two settings. User
> and computer, yes it was obvious once I looked at it. Then, I added my
user
> to the OU and "what do you know", it worked. The user settings were the
> settings that were not being applied. Thanks for helping me understand GP
in
> a more clear light.
>
> Adam
>
> "Cary Shultz [A.D. MVP]" wrote:
>
> > Howdy!
> >
> > First of all, what exactly is not working? What settings did you
configure?
> > Did you reboot the computers? Did you give it time ( the GPO ) to
replicate
> > should you have multiple Domain Controllers and / or multiple Sites?
> >
> > Here is how things are supposed to work. I will use 'normal GPO
language'
> > with some 'newbie translations'.
> >
> > First of all, you need to know that there are two sides to each Group
Policy
> > Object. There is the Group Policy Template ( GPT ) and there is the
Group
> > Policy Container ( GPC ). The GPT resides in the shared SYSVOL
directory
> > structure and the GPC lives within Active Directory in the Domain NC (
> > partition ). So, what does this all mean? It means that a section of
the
> > settings are stored in one place and the other settings are stored in
> > another place. Make sense so far? Through the various replication
> > structures [ the GPC is subject to Active Directory replication while
the
> > GPT is subject to File Replication Services ( FRS ) replication ].
> >
> > There are also two parts: the User Configuration and the Computer
> > Configuration. You configure the User Configuration side of things to
> > affect user account objects and you configure the Computer Configuration
> > side of things to affect computer account objects. Although this seems
> > clear, it is important to know.
> >
> > Now, a GPO can be linked to four levels: the Local-level, the
Site-level,
> > the Domain-level and the OU-level. This is also the 'pecking order'.
So,
> > if you have a setting within a GPO that is linked at the Domain-level
and it
> > is conflicted with a setting within a GPO that is linked to the OU-level
> > then the setting at the OU-level wins. It is usually the last setting
that
> > wins. Now, you can also have multiple GPOs linked at the same level (
at
> > the OU-level, for example ). Again, it is the last setting that wins.
So,
> > whatever appears at the bottom of the list is processed first. Whatever
is
> > listed above that is processed second. Whatever is listed at the top is
> > processed last.
> >
> > Now, when do these GPOs come into affect? Well, first the settings
> > configured in the Computer Configuration side of things are processed
when
> > the computer is rebooted. Well, just any computer? No. In order for a
> > computer account object to fall under the Scope of Management ( SOM ) of
a
> > GPO the computer account object must directly reside in the OU to which
the
> > GPO is linked. Granted, there are other levels ( the Domain- and the
> > Site-levels: I am going to only talk about the OU-level here ). Let's
just
> > talk about the OU-level for now. If the computer account object does
not
> > directly reside in the OU to which the GPO is linked then it does not
fall
> > under the SOM of that GPO. Still making sense? There are a couple of
ways
> > to massage this. But we will keep it simple for the moment. So, the
> > settings that are configured in the Computer Configuration side of
things
> > for this GPO are processed by the computer. You are then asked to log
on by
> > providing your user name and password. At this point the User
Configuration
> > side of things settings are processed based on which GPOs are linked to
the
> > OU in which the user account object directly resides. The same pecking
> > order applies ( local, Site, Domain, OU ).
> >
> > So, in a nutshell, the computer configuration settings of the GPOs that
are
> > linked to the OU in which the computer account object directly resides
are
> > processed at the time that the computer reboots and then the user
> > configuration settings of the GPOs that are linked to the OU in which
the
> > user account object directly resides are processed at the time that the
user
> > logs on.
> >
> > Was this basic enough or too informative?
> >
> > If it is too informative then consider this:
> >
> > The computer stuff is processed when the computer boots up and the user
> > stuff is processed when the user logs on. The computer needs to be in
the
> > OU where the GPO is created ( when you create the GPO you are really
doing
> > three things - even it is blank at that time ) and the user needs to be
in
> > the OU where the GPO is created.
> >
> > Now, for troubleshooting. Let's start with the most basic of all: DNS.
The
> > client workstation gets its IP Address from DHCP I assume. I further
assume
> > that DHCP provides additional information to its clients, such as
Default
> > Gateway and DNS/WINS Server information. Do your clients have the
correct
> > DNS Server information? Meaning, do they point to your internal DNS
> > Server(s) and not to your ISP's DNS Server information?
> >
> > HTH,
> >
> > Cary
> >
> >
> >
> >
> >
> > "stopnowgo" <stopnowgo@discussions.microsoft.com> wrote in message
> > news:F1DDE3F9-6C4B-462C-8A7A-23CE084AD4BA@microsoft.com...
> > > I am a newbie to gp. I have created an ou containing 13 computers and
> > created
> > > a gpo with gpmc. I have linked the gpo to my ou. It does not seem to
be
> > being
> > > applied. Does any one have a link to a site that can explain to me in
> > basic
> > > newbie speak. Microsofts site is much to informative at this time for
me.
> > Any
> > > help is appreciated. Thanks
> >
> >
> >

Relevant Pages

  • Re: Proxy Settings
    ... A GPO is logically made up of two sections - Computer Configuration and User ... Settings under User Configuration affect user accounts the ...
    (microsoft.public.win2000.active_directory)
  • Re: OU GPO - Problem setting TS Profile Path for users under a specifi
    ... You are configuring settings under Computer Configuration in a GPO ...
    (microsoft.public.windows.terminal_services)
  • Re: GPO not taking affect
    ... A GPO is logically made up of two sections - Computer Configuration and User ... Settings under User Configuration affect user accounts the ...
    (microsoft.public.win2000.group_policy)
  • Re: GP Policy setup
    ... I figured out that there were two settings. ... I will use 'normal GPO language' ... > There are also two parts: the User Configuration and the Computer ... > GPO the computer account object must directly reside in the OU to which the ...
    (microsoft.public.win2000.group_policy)
  • Re: Complex GPO Configuration Issue
    ... The user settings are definitely enabled on the policy in question. ... pushing GPO to do something it was never intended to do. ... > Loopback processing is computer configuration. ...
    (microsoft.public.windows.group_policy)
Loading