Re: AD and GP - Basic Questions

1: Do Computer Configuration settings only apply to AD Computer accounts?
And do User Configuration settings only apply to AD User Accounts?

Yes, that is correct. However there is a mode, called loopback processing,
that allows you to apply user settings to computers (for TS/ Citrix boxes).


2: Is the idea that Group Policy applys at the lowest level first, and
then higher branches of the tree over-ride those lower levels if there is
a conflict? In other words, with my example, if I had GP in OU1 AND OU1a,
is it correct to say that first OU1a GP applies, and then even though
there are no users in OU1 specifically, does this OU1 GP apply over OU1a,
where any OU1 GP trumps OU1a for any conflicts?

Otherway round. The order is LSDOU - Local, Site, Domain OU. If you have
ou=a,dc=org and ou=b,ou=a,dc=org then policy linked to OU A will apply,
followed by policy on OU B. The last writer wins when there's a conflict,
so B will beat A if there's conflicting settings. Note. Enforced (formerly
no override) changes this (it reverses it).


My issue relates to Terminal Servers. I'll list them below in case anyone
cares to comment, but I'll also bring them to the TS group. I'm trying
to:
1: Allow only certain users, but not all, to log in multiple times to the
TS. This can be set on the TS itself through the TS Configuration, but
that is for ALL users. But the GP setting "Restrict Terminal Services
Users to a single remote session" is under the "Computer Configuration"
settings in GP. I'm not quite sure how to accomplish my goal using this
method.

You create an OU "Terminal Servers" and create and link a GPO to this.
Define the computer settings in the GPO linked to that OU.


2: In this particular specific use TS, I'd like to allow all users the
ability to load programs. The only way I know to do that is by making
them part of the local admin group. However, I don't want any of them to
be able to shut down or restart the server. I don't know if I'm able to
restrict this from the admin group, and I'm thinking there's another way
to do this??

A better way is to publish the software to the users. This way they can
only be users and can install published applications. While you can remove
the right to shutdown a computer from an admin an admin can give themselves
that right again. So you can't really take anything away from an admin.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net



.