Re: Computer vs. User configuration

Hi Bart.

It is not that you can not configure a Group Policy with settings enabled
for computer configuration on an OU that contains only users but you would
be like a preacher giving a sermon to an empty church. Those computer
configuration settings have no computers to apply them to and they will not
apply to users.

The default domain Group Policy is a good example of a Group Policy that
often applies to both users and computers though by default there are no
settings configured for user configuration.

Though you may want to " It seems like you would always put your users into
OU's, then assign to
those OU's GPO's that have User Configuration Settings exclusively.
Similarly, it seems like you would always put your computers into OU's,
then
assign to those OU's GPO's that have Computer Configuration Settings
exclusively. I've never seen this written anywhere" I have never seen that
referred to as a best practice. Group Policy is designed to be very
flexible.

In some cases you may have an OU structure that can have many sub OUs and
have delegated authority of those sub OU's to others and they may have OUs
with just user and computers. However you may have a GPO at the top OU with
no override enabled that you want to make sure is applied to all users and
computers in the OU structure no matter how many computer/user OUs there
are. In such case you may very well have settings for user and computer
configuration in that GPO. --- Steve


"Bart-man" <Bartman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D188094-D516-4479-8442-914FED35F81E@xxxxxxxxxxxxxxxx
> Steven,
>
> Thanks for your reply.
>
> My DNS/AD is working perfectly, no problems there. I am interested only in
> this one question about two versions of configuration settings and two
> versions of OU's, and should Users settings always stay with User OU's,
> and
> Computer settings always stay with Computer OU's.
>
> So according to your post below, one would never assign a GPO with User
> Configuration settings in it to an OU with computers. Makes sense.
>
> Would one also never apply a GPO with Computer Configuration settings in
> it
> to an OU with Users?
>
> This is my one question, and I'm surprised that I can't find any info
> about
> this--it's such a basic issue.
>
> It seems like you would always put your users into OU's, then assign to
> those OU's GPO's that have User Configuration Settings exclusively.
> Similarly, it seems like you would always put your computers into OU's,
> then
> assign to those OU's GPO's that have Computer Configuration Settings
> exclusively. I've never seen this written anywhere.
>
> Thanks, Bart
>
>
>
>
>
>
> "Steven L Umbach" wrote:
>
>> If you have user configuration settings defined in an OU that contains
>> only
>> computers then there is no user to apply the user configuration settings
>> to.
>> The only exception would be if you have loopback processing enabled on
>> the
>> computer container which is for special situations and not the norm. I
>> have
>> never had a problem nor seen a best practice that you should only define
>> user configuration to an OU that contains strictly users or vice versa.
>> If
>> you are having inconsistent application of Group Policy settings to users
>> or
>> computers I would first verify that DNS is configured correctly for the
>> domain as dns misconfiguration is by far the main cause of Group Policy
>> and
>> Active Directory problems. The tools netdiag, gpresult, and gpotool are
>> invaluable in troubleshooting Group Policy/AD problems. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
>> DNS
>> FAQ
>>
>> "Bart-man" <Bartman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:181450B9-6D46-48E1-A499-333D3AC92472@xxxxxxxxxxxxxxxx
>> >I do understand your post below. However, I'm still wondering if all
>> >user
>> > configuration settings will be effective if I apply them to an OU
>> > containing
>> > computers, and vise versa. It seems hit and miss to me, and I was
>> > wondering
>> > if there was a "best practices" to applying user config settings only
>> > to
>> > user
>> > OU's, etc.
>> >
>> > Thanks for you help,
>> >
>> > Bart
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> OU's may also contain both computer and users or have sub OUs that
>> >> contain
>> >> only computer or only users. Best practice is to design your OU and
>> >> Group
>> >> Policy structure that suits your needs keeping in mind that OUs can be
>> >> used
>> >> for logical organization by managed groups users/computers,
>> >> geographical
>> >> organization, or combination of both and for delegation of authority
>> >> and
>> >> applying Group Policy. There is not stamped in stone correct way.
>> >> However
>> >> if
>> >> you have a Group Policy that is not meant to apply any settings to a
>> >> user
>> >> or
>> >> computer then disable that configuration part of the Group Policy. I
>> >> hope
>> >> that was not too confusing. --- Steve
>> >>
>> >>
>> >> "Bart-man" <Bart-man@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:E37EA7EF-96B2-4F7B-BECF-EC394E8CFAF9@xxxxxxxxxxxxxxxx
>> >> > In creating Group Policies you can set both User Configuration and
>> >> > Computer
>> >> > configuration settings. Then, you can apply these gpo's to OU's
>> >> > containing
>> >> > either Computers or Users.
>> >> >
>> >> > Do you always assign GPO's with Computer Configuration settings to
>> >> > OU's
>> >> > containing Computers, and assign GPO's with User Configuration
>> >> > Settings
>> >> > to
>> >> > OU's containing Users?
>> >> >
>> >> > It seems that sometimes a GPO setting won't have any effect if, for
>> >> > example,
>> >> > it is a user configuration setting applied to a Computer OU. What is
>> >> > the
>> >> > rule
>> >> > of thumb here?
>> >>
>> >>
>> >>
>>
>>
>>


.

Relevant Pages

  • Re: Parts of GPO not working.
    ... If your users use other browsers like firefox from an usb stick/drive or whatever medium your policy will not help. ... I have a request that all of those computers not have Internet ... The settings in this GPO can only apply to the following groups, ... Group Policy refresh interval for computers Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: group policy scrolling marquee
    ... Policy at the same time a great robust platform for configuration management ... is launced via one of the four events available through Group Policy but the ... to store their settings in one of two places. ... > As for the Marquee screen saver you'll note that the settings (including ...
    (microsoft.public.win2000.group_policy)
  • Parts of GPO not working.
    ... I have a request that all of those computers not have Internet ... The settings in this GPO can only apply to the following groups, ... Group Policy refresh interval for computers Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event Log losing settings
    ... The Event Log configuration is computer configuration - not user ... It would need to be applied to the computers either at the ... users when the security log becomes full. ... what Group Policy settings are being applied to a user or computer. ...
    (microsoft.public.windows.group_policy)
  • Re: How do I enable a locked screensaver policy through Windows 2000 Active Directory
    ... Screen Saver Group Policy settings are User settings, not Computer settings, ... Group Policies will have no affect at all on Windows NT 4 client computers ...
    (microsoft.public.windowsxp.general)
Loading