Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GPO - computer versus user settings

Status
Not open for further replies.
cwissy

cwissy

IS-IT--Management
Nov 16, 2003
103
AU
Can anyone explain which I should be using? Or a book on the subject? There are so many settings and so many levels I am at a loss to know which to use! We want to apply polices to users but the policy needs to address computer settings such as background, prevent changes to all sorts of things and lock the desktop, hide C: drive etc. etc.
Has anyone produced a book on this?
 
Sort by date Sort by votes
I'm not sure if anyone has a book on this.

You put the GPO in the user settings when you want the settings to effect that user no matter what machine they log into.

You put the GPO in the computer settings when you want the settings to effect every user that sits at that machine.

Does that help?

Denny

--Anything is possible. All it takes is a little research. (Me)

[noevil]
(My very old site)
 
Upvote 0 Downvote
Yes thanks that helps, I am totally new to this and trying to set up a server 2003 netword, always been Novell so finding it hard to 'forget' the way we did things in Novell and getting my head around MS server 2003

Thanks
 
Upvote 0 Downvote
If you apply to computer, wouldn't you use the GPO on the group of computers that you want to apply it to? This policy I am setting up now is for an OU for year 12 students, in other words users. Do computer based policies work when applying to an OU of users?
 
Upvote 0 Downvote
Hmm thats a good question. But I'll tell you how I did it at my school. OUs can contain anything, any object, such as computers or users or printer etc... I broke down the school into OUs base on operating systems. One OU for XP machines and one OU for 2000 machines. Then I broke it down to locations. So under the XP OU I created another OU called RM105. Its a desktop publishing class so the kids get a litte more freedom. So their user settings are not that restrictive while the computer settings are nonexsistant except for software installation which will install graphics apps everytime a new machine joins the domain. It get pretty complicated at some point but check out this site.

look under Windows 2003 for further help

And this book: Active Directory by O'Reilly
 
Upvote 0 Downvote
Thanks I will do, I am going to try and enrol in a admin type course soon so hopefully I will learn all this stuff
 
Upvote 0 Downvote
Hi cwissy,

Do computer based policies work when applying to an OU of users?
Click to expand...

Computer settings need to be set at the OU containing the computers, then as mrdenny says they effect every user that sits at that machine. If you set them on a users OU they will have no effect as the PC's will not process the policies at start up.
 
Upvote 0 Downvote
Our computers folder is directly under the domain, the OU's are set to divide year levels and campus's, can I 'move' the computers folder to under the campus OU? I am a bit scared to try as we are so short of time and I don't want to destroy anything.
 
Upvote 0 Downvote
Do computer based policies work when applying to an OU of users?"

No, but you might want to look at loopback policy processing. This was pointed out to me on tek-tips a few weeks ago, and have found useful (particularly in a school environment). Basically it allows you to apply user policies on an OU containing computers. When a user logs on to a computer within this OU, you have the option to merge or replace user policy settings inherited from the OU that the user is in.

I realise that the above probably makes little sense, so have a look here:

 
Upvote 0 Downvote
Thanks all, I think I have enough reading to last me a while now, I do appreciate all your help

Chris
 
Upvote 0 Downvote
cwissy...
a bit of advice on OUs...
try not to use too many of them... they are primarily a unit of administration...
If you have too complicated an ou structure, you get caught up in your own organisational trap.

I'm preparing MCPs on Active Directory at the moment, and the books all say don't create OU structure just for the sake of it, but with three reasons in mind:
-delegation of administration,
-hiding objects,
-cant remember.... er...oh yeah... Group policy (had a quick look at my notes...)

key word, be it domain, ou, gpo, site design is: keep it simple, as simple as possible!!

and don't forget, between the FAQs, tektips forums and google, there is all the info you need out there... it's knowing what to look for...


Aftertaf (david)
 
Upvote 0 Downvote
meastaugh1 is right loopback processing is very handy, just beware it still will not allow computer based policies to work when applying to an OU of users. It will however allow User Configuration to effect users when the policy is applied to an OU of computers.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
144
technome
technome
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
270
DrB0b
DrB0b
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
108
RRankin355
RRankin355
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
96
penguinroundup
penguinroundup
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
110
on3mansh0w
on3mansh0w

Part and Inventory Search

Sponsor

Back
Top