Archived from groups: microsoft.public.win2000.active_directory (
More info?)
EC,
Normally GPOs that are configured for the computer side of things affect the
computer account objects that fall under the Scope of Management of that
GPO. Normally GPOs that are configured for the user configuration side of
things affect the user account objects that fall under the Scope of
Management of that GPO. That is the way things are processed - normally.
When the computer starts up it processes any GPOs that affect it ( usually -
but not only - when you create a GPO that is linked to an Organizational
Unit in which that computer account object directly resides ). You are then
prompted for a user name and password. Once you supply that information the
GPOs that affect that particular user account object ( again, usually - but
not only - when you create a GPO that is linked to an OU in which the user
account object directly resides ).
Now, there are four levels: local, Site, Domain and OU. First the local
GPOs are processed, then the Site level GPOs are processed, then the Domain
level GPOs are processed and finally the OU level GPOs are processed. This
is the pecking order for the computer side and then the user side.
When you create a GPO you can control who is affected by way of security
groups. By default, there is a security group called Authenticated Users
that is granted both the READ and APPLY GROUP POLICY rights. You could use
what is know as Security Filtering to change the SOM. Say, for example,
that you have an OU in which there are 200 user account objects. What if
you want some GPO to apply to only 20 of these user account objects but due
to the way things are set up you can not really move the user account
objects to another OU? Easy, simply create the GPO and link it to that OU.
Now, remove the Authenticated Users from the security tab of that GPO and
replace it with a security group that you have created that contains these
20 user account objects. Done!
But, this is not exactly what you are asking. This is just a little
background on how GPOs are applied / processed.
As Laura mentioned, you would need to make use of the Loopback Processing.
There are two modes: replace and merge. You would want to use replace, as
Laura suggested.
--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"EC" <X@x.x> wrote in message
news:eg3Rp%23Z$EHA.4004@tk2msftngp13.phx.gbl...
> We have implimented a screensaver policy for all of our users.
>
> Is there a way to prevent any USER policies from being applied to a given
> computer?
>
>
>
>
>
>
>
Facebook
Twitter
Instagram