Re: GPO question. Probably an obvious answer.

Florian Frommherz [MVP] wrote:
Howdie!

Ryan schrieb:
When I set up a GPO for SBS=Computers, if that GPO has any changes
under the "user" side, they don't get applied. But If I add that
same GPO to SBSUsers those user side changes get applied. And
surprise, if I check gpresult out, it says both under the Computer
and User results that the GPO was applied.

That's how Group Policy works. User objects only apply User
Configuration Settings and computer objects only apply Computer
Configuration settings. "Administrative Templates" for example - those
are plain registry modifications to the system. All "User
Configuration" settings you see, they are merged into the
"HKEY_CURRENT_USER" hive of the registry (on user logon) whereas the
"Computer Configuration" is merged into "HKEY_LOCAL_MACHINE" (on
computer startup). There are different security contexts, as a user
wouldn't be allowed to make changes to the HKEY_LOCAL_MACHINE hive.
Same thing with scripts in Group Policy. Startup scripts run in the
context of "SYSTEM", whereas Logon/Logoff scripts run in the context
of the user logging in.
You can think of this as an architectural issue. User objects will
only apply User Configuration settings and ignore the computer
settings, computer objects only look at the computer configuration
settings.
Is there not a way to have both Computer/User GPO changes in the same
GPO and have them both apply without having the GPO linked under both
Computer AND user? Or is that even the right way to do it? Or for
that matter a GOOD way?

Hum - only if you put all you objects, both user and computer objects
into one OU and link all your stuff there. But I wouldn't do that.
Seperating the objects and structuring them makes administration a lot
easier. Why would you want that?

OP;

SBS by design seperates users and computers into specific OUs for
administrative purposes. Should you want a single GPO to apply to both, you
should link it at "MyBusiness" OU so that it applies to both the
"Computers\SBSComputers" OU and the "Users\SBSUsers" OU beneath.

For more granular computer or user GP, create an OU under the respective SBS
provided OU and move the objects down.


You could have a look at "Loopback Processing" though. Loopback's for
Terminal Server environments for example - it makes computer settings
look at the user settings linked to its scope and apply them. This can
be used for environments where you'd like to have a specific user
settings enforced on machines, no matter who logs on.

Sorry if this is confusing. I'm wracking my brain trying to
comprehend how this works. I'd figure if you made a GPO it would
see what you wanted to apply and apply it where necessary, not make
you stick it under two categories to get the job done.

I think you need to see this from a different perspective: you can
have two configuration aspects: for users and for machines.

For the machines, you can define a baseline "security" or set of
configuration settings that would apply for departments like "finance"
or "developers". Those settings stick with the machine.

Then there's another setting that needs to stick with the users like
application they need or desktop modifications (like "Hide Control
Panel") that you don't want to have on all machines or all users but
for several ones (e.g. those evil intens always trying to break
security).
cheers,

Florian

--
/kj


.

Relevant Pages

  • Re: Aftermath of RDIRCMP.EXE?
    ... There is a group of machines that need to be on the domain that have all the ... They don't want us to make changes to the default domain policy ... Then create the OU, and as Jorge suggested, link the GPO ... with its default settings, and the GPO you created at the OU will apply to ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO question. Probably an obvious answer.
    ... GPO to SBSUsers those user side changes get applied. ... User objects only apply User Configuration Settings and computer objects only apply Computer ... This can be used for environments where you'd like to have a specific user settings enforced on machines, ...
    (microsoft.public.windows.group_policy)
  • Re: How do I Block a GPO with User Policy, by Computer(s)
    ... Edit the GPO and set the user settings ... get applied to computers in the OU. ... certain users logging into those machines (hence the custom ...
    (microsoft.public.windows.group_policy)
  • Re: OU GPO - Problem setting TS Profile Path for users under a spe
    ... mandatory profile for each group of users. ... That's how settings in GPOs are applied. ... the User Configuration settings from the GPO linked to the OU ...
    (microsoft.public.windows.terminal_services)
  • Re: File System Security Setting Causes Slow Logon
    ... IMO the intent of filesystem ACLs in GPO is for only the very important ... > several machines at once so I put them all in an Organizational Unit, ... > (because it was setting the new NTFS permissions) but it worked. ... > assuming the cached settings on the machine need to be updated from the ...
    (microsoft.public.security)
Loading