Re: Computer vs. User configuration
- From: "Bart-man" <Bartman@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 3 Jun 2005 11:40:02 -0700
Steven,
"It is not that you can not configure a Group Policy with settings enabled
for computer configuration on an OU that contains only users but you would
be like a preacher giving a sermon to an empty church." Well, that's my
point. Group Policy may be flexible, but it seems a bit too flexible as it
gives you an even 50/50 chance of "preaching to an empty church."
Your explanation of a top level GPO with no override filtering down to
sub-OU's that contain both Computers and Users makes sense. It's the only
scenario I can imagine having both user and computer configuration settings
in the same GPO.
Thanks again for your help,
Bart
"Steven L Umbach" wrote:
> Hi Bart.
>
> It is not that you can not configure a Group Policy with settings enabled
> for computer configuration on an OU that contains only users but you would
> be like a preacher giving a sermon to an empty church. Those computer
> configuration settings have no computers to apply them to and they will not
> apply to users.
>
> The default domain Group Policy is a good example of a Group Policy that
> often applies to both users and computers though by default there are no
> settings configured for user configuration.
>
> Though you may want to " It seems like you would always put your users into
> OU's, then assign to
> those OU's GPO's that have User Configuration Settings exclusively.
> Similarly, it seems like you would always put your computers into OU's,
> then
> assign to those OU's GPO's that have Computer Configuration Settings
> exclusively. I've never seen this written anywhere" I have never seen that
> referred to as a best practice. Group Policy is designed to be very
> flexible.
>
> In some cases you may have an OU structure that can have many sub OUs and
> have delegated authority of those sub OU's to others and they may have OUs
> with just user and computers. However you may have a GPO at the top OU with
> no override enabled that you want to make sure is applied to all users and
> computers in the OU structure no matter how many computer/user OUs there
> are. In such case you may very well have settings for user and computer
> configuration in that GPO. --- Steve
>
>
> "Bart-man" <Bartman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:2D188094-D516-4479-8442-914FED35F81E@xxxxxxxxxxxxxxxx
> > Steven,
> >
> > Thanks for your reply.
> >
> > My DNS/AD is working perfectly, no problems there. I am interested only in
> > this one question about two versions of configuration settings and two
> > versions of OU's, and should Users settings always stay with User OU's,
> > and
> > Computer settings always stay with Computer OU's.
> >
> > So according to your post below, one would never assign a GPO with User
> > Configuration settings in it to an OU with computers. Makes sense.
> >
> > Would one also never apply a GPO with Computer Configuration settings in
> > it
> > to an OU with Users?
> >
> > This is my one question, and I'm surprised that I can't find any info
> > about
> > this--it's such a basic issue.
> >
> > It seems like you would always put your users into OU's, then assign to
> > those OU's GPO's that have User Configuration Settings exclusively.
> > Similarly, it seems like you would always put your computers into OU's,
> > then
> > assign to those OU's GPO's that have Computer Configuration Settings
> > exclusively. I've never seen this written anywhere.
> >
> > Thanks, Bart
> >
> >
> >
> >
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> If you have user configuration settings defined in an OU that contains
> >> only
> >> computers then there is no user to apply the user configuration settings
> >> to.
> >> The only exception would be if you have loopback processing enabled on
> >> the
> >> computer container which is for special situations and not the norm. I
> >> have
> >> never had a problem nor seen a best practice that you should only define
> >> user configuration to an OU that contains strictly users or vice versa.
> >> If
> >> you are having inconsistent application of Group Policy settings to users
> >> or
> >> computers I would first verify that DNS is configured correctly for the
> >> domain as dns misconfiguration is by far the main cause of Group Policy
> >> and
> >> Active Directory problems. The tools netdiag, gpresult, and gpotool are
> >> invaluable in troubleshooting Group Policy/AD problems. --- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
> >> DNS
> >> FAQ
> >>
> >> "Bart-man" <Bartman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:181450B9-6D46-48E1-A499-333D3AC92472@xxxxxxxxxxxxxxxx
> >> >I do understand your post below. However, I'm still wondering if all
> >> >user
> >> > configuration settings will be effective if I apply them to an OU
> >> > containing
> >> > computers, and vise versa. It seems hit and miss to me, and I was
> >> > wondering
> >> > if there was a "best practices" to applying user config settings only
> >> > to
> >> > user
> >> > OU's, etc.
> >> >
> >> > Thanks for you help,
> >> >
> >> > Bart
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> OU's may also contain both computer and users or have sub OUs that
> >> >> contain
> >> >> only computer or only users. Best practice is to design your OU and
> >> >> Group
> >> >> Policy structure that suits your needs keeping in mind that OUs can be
> >> >> used
> >> >> for logical organization by managed groups users/computers,
> >> >> geographical
> >> >> organization, or combination of both and for delegation of authority
> >> >> and
> >> >> applying Group Policy. There is not stamped in stone correct way.
> >> >> However
> >> >> if
> >> >> you have a Group Policy that is not meant to apply any settings to a
> >> >> user
> >> >> or
> >> >> computer then disable that configuration part of the Group Policy. I
> >> >> hope
> >> >> that was not too confusing. --- Steve
> >> >>
> >> >>
> >> >> "Bart-man" <Bart-man@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:E37EA7EF-96B2-4F7B-BECF-EC394E8CFAF9@xxxxxxxxxxxxxxxx
> >> >> > In creating Group Policies you can set both User Configuration and
> >> >> > Computer
> >> >> > configuration settings. Then, you can apply these gpo's to OU's
> >> >> > containing
> >> >> > either Computers or Users.
> >> >> >
> >> >> > Do you always assign GPO's with Computer Configuration settings to
> >> >> > OU's
> >> >> > containing Computers, and assign GPO's with User Configuration
> >> >> > Settings
> >> >> > to
> >> >> > OU's containing Users?
> >> >> >
> >> >> > It seems that sometimes a GPO setting won't have any effect if, for
> >> >> > example,
> >> >> > it is a user configuration setting applied to a Computer OU. What is
> >> >> > the
> >> >> > rule
> >> >> > of thumb here?
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.
- Follow-Ups:
- Re: Computer vs. User configuration
- From: Robert LeBlanc
- Re: Computer vs. User configuration
- References:
- Computer vs. User configuration
- From: Bart-man
- Re: Computer vs. User configuration
- From: Steven L Umbach
- Re: Computer vs. User configuration
- From: Bart-man
- Re: Computer vs. User configuration
- From: Steven L Umbach
- Re: Computer vs. User configuration
- From: Bart-man
- Re: Computer vs. User configuration
- From: Steven L Umbach
- Computer vs. User configuration
- Prev by Date: Re: Computer vs. User configuration
- Next by Date: Group Policy for limited users
- Previous by thread: Re: Computer vs. User configuration
- Next by thread: Re: Computer vs. User configuration
- Index(es):
Relevant Pages
|
