General discussion

Locked

Regarding GPO and who is affected by it

By jon ·
I may be getting a bit confused about who policy is applied to when it is attached to an OU.

For example, if I wanted to apply policy to a group of 7 computers regardless of who logged into those computers, would I drop the computer objects into the organizational unit that is linked to the policy?

Currently I have an OU that has a single user in it. Agents all use the same guest password on those 7 systems to login to the network so I dropped that particular guest user into the OU that contains the linked policy and it works.

Any time a user that is not in that group logs in to one of those machines, the policy applied to the next highest OU relative to that user's location in Active Directory is applied to the login.

Here's a challenge. I would like to apply wallpaper to ALL of the network computers, but disallow those 7 computers from having custom wallpaper unless an authorized user logs in, and for all of the other computers, the wallpaper would show up, but it could be changed if the user wanted it to be changed.

This is a simple example to attempt to grasp this concept.

If I move a computer to an OU, but a user that is in a differnt OU logs into that computer and each OU has a policy, which policy takes precedence?

If I drop a Security Group into an OU, does the policy linked to that OU apply to the users in that group if the users in that group are already in another OU with a different policy?

Thanks for your help guys...!

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Regarding GPO and who is ...

for the 7 computers you want a GPO to apply to, in addition to the default domain Group Policy, then you would create an OU [container] in Active Directory Users and Computers/computers OU [nest it], then create your GPO. Apply it to the nested OU.

GPOs are processed in an ordered sequence 1,2,3,4 and so on. you can have 1 to many GPOs for a single OU. GPOs highest in the GPO object list takes precedence [default] with the exception of No override in which the one with no override takes precedence meaning anything after does not get applied.

There are command line tools to check GPOs and their effect for users or computer. gpresult will show the resulting set of policies.

See the admin pack for Windows and the tools available.

See Microsoft Technet for administration of Group Policy.

Collapse -

by jon In reply to

It's not the easiest thing to remember who gets what, but using RSoP is saving my life here.

I have one OU for my organization under the domain itself. In that OU I have multiple OU's for various departments. One of them is called Resource Room Workstation Policy. The policy attached to that, if I am correct, will override all prior policies unless otherwise specified by no override.

So, if the wallpaper for the entire domain (linked to the domain itself) is one bitmap, and the bitmap for the organization's main OU is another, the final bitmap applied to the Resource Workstation OU is the one that affects..."which objects in that OU?"

Here's what I'm grasping. If I drop a computer into the Resource Workstation OU, the computer settings in the linked GPO for that OU will preceed all other computer settings. If I drop a USER into that OU, the USER settings in the linked GPO will preceed all user settings in prior OU's. Does this sound right?

P.S. the unacceptable rating system is screwy...your answer was acceptable...

Collapse -

by CG IT In reply to Regarding GPO and who is ...

Comment from jon@... on 07/28/06:
It's not the easiest thing to remember who gets what, but using RSoP is saving my life here.

I have one OU for my organization under the domain itself. In that OU I have multiple OU's for various departments. One of them is called Resource Room Workstation Policy. The policy attached to that, if I am correct, will override all prior policies unless otherwise specified by no override.

So, if the wallpaper for the entire domain (linked to the domain itself) is one bitmap, and the bitmap for the organization's main OU is another, the final bitmap applied to the Resource Workstation OU is the one that affects..."which objects in that OU?"

Here's what I'm grasping. If I drop a computer into the Resource Workstation OU, the computer settings in the linked GPO for that OU will preceed all other computer settings. If I drop a USER into that OU, the USER settings in the linked GPO will preceed all user settings in prior OU's. Does this sound right?

P.S. the unacceptable rating system is screwy...your answer was acceptable...


There is an ordered sequence to GPO processing. the highest in the GPO object list takes precedence. This is in addition to the local, site, domain and OU Group Policy order sequence.

so the OU GP takes precedence over all other GPs in the local site domain and OU processing list and further, in the OU category, the highest in the object list if there are multiple GPOs applied to an OU. There is parent to child inheritance in nested OUs.

No Override is a trump card.

hope that helps. The more OUs you have and the more layers of OUs there are, the more GPOs you have applied over the OUs and nested OUs , the more nuts it gets. Least what I've found with Group Policies.

Collapse -

by CG IT In reply to

OUs are just containers. So if you have a department you want wall paper that is different that any other departments wall paper, you create a container for that department, drop the computers into that container, create a GPO with the desired wall paper, apply it to the container and hope like **** there aren't any other GPOs that will effect those settings.

Back to Windows Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums