Question
-
CreatorTopic
-
February 9, 2008 at 8:47 pm #2232459
in a GPO, which takes precedence, user or computer configuration?
Lockedby nonapeptide · about 16 years, 1 month ago
If a setting in the Computer Configuration portion of a GPO conflicts with the setting in the User Configuration portion, which one wins?
Google failed me. :[
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
February 9, 2008 at 8:47 pm #3319429
Clarifications
by nonapeptide · about 16 years, 1 month ago
In reply to in a GPO, which takes precedence, user or computer configuration?
Clarifications
-
February 9, 2008 at 9:56 pm #3319405
well in GPOs neither take precedence
by cg it · about 16 years, 1 month ago
In reply to in a GPO, which takes precedence, user or computer configuration?
because it’s not computer or user config that determines policy settings rather the processing order and parent child OUs.
For instance, if a parent had GP and child doesn’t parent applies to child.
If parent and child both have them and there are no conflicts, child applies. later GPOs apply than earlier ones
If parent and child both have them and there is a conflict child applies. [later GPO applied].
GPO policy settings are also cumulative [if there are no conflicts].
-
February 11, 2008 at 7:41 am #3320371
True enough, but…
by nonapeptide · about 16 years, 1 month ago
In reply to well in GPOs neither take precedence
…I was thinking of the (hopefully) unlikely case where an option in “User Configuration” and its counterpart in “Computer Configuration” were set to conflicting choices in the same GPO.
More of a theoretical question I suppose. It was just something that popped into my (weird) head as I studied up on Active Directory.
-
February 11, 2008 at 12:53 pm #3321854
I thought of that as well…
by cg it · about 16 years, 1 month ago
In reply to True enough, but…
and wanted to go through all the different available settings in both just to see if there might be duplicate settings.
But within the first couple of minutes of comparing, I went blurry eyed.
I didn’t find any MS document that addresses this possibility.
-
February 11, 2008 at 1:51 pm #3321822
Ditto
by nonapeptide · about 16 years, 1 month ago
In reply to I thought of that as well…
I thought about setting up this scenario in my lab, but didn’t think it was worth the time. I posted the question in hopes of finding someone who had experience with this situation.
Of course, if someone actually set conflicting GPO settings in the same GPO, they might better get more sleep or consider a new line of work.
Thanks for rubbing some brain cells together over it though.
-
February 11, 2008 at 4:28 pm #3321766
no problem Non
by cg it · about 16 years, 1 month ago
In reply to Ditto
it’s something I’ve always wondered about and believe it or not it’s on the to do list [carry over from previous years] but way down at the bottom.
I’m not sure MS actually has duplicate settings for computer and users. Be sorta like building in a huge problem.
There is one place to ask and that’s on MS Technet Community Forums. MS tech people regularly post there.
-
February 11, 2008 at 4:57 pm #3321759
Here’s a candidate:
by nonapeptide · about 16 years, 1 month ago
In reply to no problem Non
I just poked through my GP settings on my Vista machine and found some dupes. Try these on for size (not sure if they exist in XP. I’m assuming they do): [Computer Configuration | User Configuration] >> Administrative Templates >> Network >> Offline Files
There’s a few duplicates in there.
Oooh ooh! Found a few more in [Computer Configuration | User Configuration] >> Administrative Templates >> System
There’s probably loads of ’em here and there.
-
February 11, 2008 at 5:04 pm #3321757
well ok I’ll try em out on the test network
by cg it · about 16 years, 1 month ago
In reply to Here’s a candidate:
which runs W2003 Server AD with XP client. Gimme some examples you want to know about and I’ll give it a whirl later on tonight.
Least it will get that pesky to do item off the list once and for all [think it’s been on there for at least 4 years ROFL]
Do a RSOP and see what happens and let you know.
-
February 11, 2008 at 5:57 pm #3321741
Saves me the arduous task of…
by nonapeptide · about 16 years, 1 month ago
In reply to Here’s a candidate:
remoting into the server in my closet and twiddling with AD. It’s so taxing to do these things for one’s self, you know.
The effort I’ve put into posting about it here could have answered the original question and then some. 🙂 Of course, since you’ve offered, I won’t refuse. How about:
[computer configuration | user configuration] >> Administrative templates >> windows components >> Windows Messenger >> Do not allow windows messenger to be run
Enable one and disable the other and we’ll see what happens. Something about an unstoppable force meeting an immovable object comes to mind.
Get the fire extinguisher ready.
-
-
-
February 23, 2008 at 11:33 am #2656301
Solved!
by nonapeptide · about 16 years ago
In reply to in a GPO, which takes precedence, user or computer configuration?
Thanks to the Elder Geek! Computer Configuration always wins out.
http://www.theeldergeek.com/gp06.htm
Still can’t give myself a thumb…
😉
-
February 23, 2008 at 1:35 pm #2656285
-
February 23, 2008 at 2:15 pm #2656272
However, there seems to be an interesting twist…
by nonapeptide · about 16 years ago
In reply to Solved!
I’ve been reading a TechNet Magazine article about the use of offline files and during my investigation I discovered something rather interesting. In the “User Config >> Admin Templates >> Network >> Offline Files” Group Policy settings, I was looking at the “Adminstratively assigned offline files” policy and noticed this little note at the bottom of the explanation tab:
“Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the settings will be combined and all specified files will be available for offline use.”
Hmmm… so apparently some objects will combine both user and computer settings.
The plot thickens.
-
-
-
AuthorReplies