Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GPO with user and computer settings

Status
Not open for further replies.

kpeterson

IS-IT--Management
Jun 7, 2005
42
CA
I have a set of laptops that we hand out to people and would like to have them locked down as much as possible. I don't quite understand if you can have user and computer settings configured in the same gpo. The policy is applied to an ou with the floater laptops sitting in that ou. Do I also need the user accounts that will be using the laptop to be in that ou as well? If I look under Security Filtering on the policy it has Authenticaed users which I thought would mean all users that logged onto the laptop. So right now I have a ton of settings applied to that ou but non of them take effect on the laptop. Any help would be great. thanks
 
After you log in on a laptop go to a cmd prompt and type gpresult to see what group policy is being applied.
 
>> I don't quite understand if you can have user and computer settings configured in the same gpo

Yes, you can put both users and groups in the same GPO and then configure Conputer Settings that will only affect the Computer Accounts (ie the laptops) and User Settings that will only affect the users. If you have a GPO with only Computer Accounts in there, then it's best to disable the User Settings of the Policy as this will help speed up policy processing.

>> Do I also need the user accounts that will be using the laptop to be in that ou as well?

If you have policies defined unser User Settings then yes - you will need the accounts to be in there also. When a Computer starts up (laptop, desktop, server, etc) you will see "Applying Computer Settings" - this is where it's enumerating through all of the policies that are in all of the GPO's in's contained in (starting at the Domain Level and drilling down through the GPO's) and applying those policies. Likewise, when a user logs in the computer will starting the same thing - this time looking at all the GPO's that the user is in and applying those settings. The one exception to this rule would be if policy inheritance was blocked.

>> If I look under Security Filtering on the policy it has Authenticaed users which I thought would mean all users that logged onto the laptop

Yes - you're right. This is the default setting. But as you pointed out, if the User Accounts aren't under that OU then the GPO will not affect the user and therefore the policy won't get applied.

>> So right now I have a ton of settings applied to that ou but non of them take effect on the laptop

I presume you mean you have a ton of settings configured under User Settings that aren't getting applied? Do user's logon to these laptops with their own accounts or do you have special pooled accounts for these? If there are specially created pooled accounts, is there any reason why you didn't want to include them under the same OU as the laptop computer accounts? Obviously if users use their own accounts to logon to the laptops, I could understand why you woudln't want to apply certain settings normally because I presume the users will be travelling with the laptops so you want to enable things like offline files etc?

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Thanks for the fast replys, The users who would be logging on to these laptops would be using their own domain accounts which is why I didnt want to put the users under that ou as well. I dont want to start having users and computers under the same ou but what I should do is seperate the user and computer settings. So I would take the gpo I have made and split it into 2, a user configuration and computer configuration. IF I only want the gpo to effect the user on a certain computer I would remove Authenticated users and add the uername and computer name to Security filtering on the user configuration gpo? So when that user logs onto the floater laptop all the lockdown settings are applied but then they log onto their main computer the lockdown settings are not applied.

I am having a hard time trying to explin what I am thinking so hopefully you understand. Thanks
 
>> The users who would be logging on to these laptops would be using their own domain accounts which is why I didnt want to put the users under that ou as well

That's what I suspected ... makes sense as I'm sure there's settings you want to apply to the users only when they're logged onto the laptops but not when they're logged onto their desktops?

>> IF I only want the gpo to effect the user on a certain computer I would remove Authenticated users and add the uername and computer name to Security filtering on the user configuration gpo?

This will only work if the user account is affected by that particular GPO. Say for example you have the following setup

mydomain.local
+ User Accounts
+ Computer Accounts
+ Laptops

Each OU has it's own GPO applied to it. So the User Accounts have a user Policy and the Computer Accounts have a computer policy. All User Accounts exist in the User Accounts OU and all Computer Accounts exist in the Computer Accounts OU.

Then, in the Laptops OU - you have the computer accounts for all your laptops - but no user accounts. Regardless of security filtering on the Laptops GPO - if there are NO user accounts in there then users will not get any policies from there. They will only get policies applied from the User Accounts GPO and mydomain.local GPO because they are the only OU's where their accounts fall under.

Escentially what you are trying to do is have different policies applied to the same user account depending on which PC they logon to - is that correct? If so then I think you need to look at loopback processing. I've only just discovered it recently myself so I haven't had a chance to play around with it much ... yet !! Here is the link
I'm not at work today but I do plan to look into it a littler more during the week when I get a chance. If I figure out how to do what you're looking for then I'll let you know. It'd probably help me out also. Likewise, if you get it working - be sure to let me know !!


Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Just read up on this a little now. Sounds like if you leave all the user accounts where they are and enable loopback processing on the GPO that applies to the laptops (probably in replace mode as I presume that's the one you want) then that should be all you need. From what I've read so far it sounds like the User Settings that are configured where the Computer Account resides get applied to any users logging onto those computers. In other words, all those restrictive settings that you created under the Laptops GPO will get applied to users ONLY when they log onto the laptops, and you don't need to move the accounts to do this. Sounds like Merge mode might be quiet slow, as escentially you have to do twice the amount of policy processing. But from what I can tell with Replace mode, the "Normal" user settings (from where the user account lies) do not get applied - because computer settings are applied first, the computer knows that these settings would be replaced anyway so doesn't bother applying them. At least that's what I've read into it.

Have a go and let me know how you get on

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Hey thanks a lot for the help loopback processing works great, exactly how you said. I can have both user and computer settings applied in the same gpo and applied to one computer and any user who logs on gets those user settings. Thanks again.
 
The best procedure I find is to have a collection OU IE SalesOU, then under that OU, you then have SalesMACHINES and SalesUSERS. That way you can create a single GPO when settings only need to be made for a specific instance, configure both User and Computer settings. Then apply it to the root of the Sales structure which is the SalesOU. Therefore, all objects are contained in manageable containers(ou's), but you have logical management with parent folders.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant
 
So, just to clarify ncotton - you're saying that you create a departmental OU and then create two OU's underneath - one for users and one for computers. But configure all the policies under the actual departmental OU? Would this help kpeterson in any way, or is this just a suggestion for segregating users and machines ? Just curious

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Yes, that is what Im saying GMail.

It does apply to his situation.

The security filtering will only apply as a filter to anything under the root of the OU you have applied the policy to.

If you apply the GPO at MarkettingOU, but your users are not below that OU, then even if the user specified in the filter logs on, it will not be recognised. As the user acocunts are not in the scope of the GPO. It DOES mean that the Computer settings will only be applied if that user logs on. But because the USER SETTINGS are only applied to USERS in the scope of the policy, the USER SETTINGS will never be applied.




Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top