Re: Group Policy, Security Groups, and OUs

Thanks, that clears things up.

So, let's say we have three major types of computer--desktop, server, and
terminal server.
Then we have three major types of employees--sales rep, office, and
warehouse.

If we need to apply different policies to different employees based on what
computer they're logging into (or trying to log into), do we need to link
all of our GPs at the domain-level and then use "Security Filtering" by
security groups, then? After all, the lowest common denominator between
users and computers for us is the top-domain-level.

If so, it sounds like our OU plan will be more for show than for group
policy organization, and the real hero will be our security groups. That's
ok, though. A clean appearance is important.

I have read of people applying the Computer half of the GP to the Computer
OU and the User half to the User OU, but that sidesteps the fact that
different users will need different privileges on the Computer OU so you
have to do some user-based filtering on it.


"Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%238S5ZkdFKHA.1340@xxxxxxxxxxxxxxxxxxxxxxx
Eric,

Eric L. schrieb:
Let's say you have two top-level OUs--one for all of your domain
computers (OUPCs) and one for all of your domain users (OUEmployees). Now
you create a group policy (GPUsers) that has "computer configuration"
settings and "user configuration" settings. If you link that group policy
to OUEmployees, are the "computer configuration" settings ever going to
be applied? It seems like they wouldn't because there aren't any
computers in OUEmployees.

Yes, your assumption is correct. This is how GP works. Put simple, in
order to evaluate the GPs to apply, the target (either a user or a
computer) checks the appropriate configuration on the GPO and applies it.
Users only apply "User Configuration", computers apply "Computer
Configuration" by default. There's a special mode you can put computers in
(called "Loopback processing mode") that lets computers apply user
settings. But by default, objects only apply their configuration "side" of
a GP.

I would like to hear an answer to this question, and I would love to hear
an explanation. Thank you!

Explanation enough? :-)

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste


.

Loading