GPO Question

Archived from groups: microsoft.public.win2000.group_policy (More info?)

hi!

I configured some of the settings in the computer configuration(OfficeXP administrative point) and user configuration(don't run this windows application). The don't run this application part doesn't work but the computer configuration part is functioning well. Any idea what's the problem? is it becoz the same GPO can't have both user and computer configuration configured?

Thks!
5 answers Last reply
More about question
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi David

    The Computer Configuration portion applies to computers that reside in the
    OU to which the GPO is linked. The User Configuration portion applies to
    users that reside in the OU to which the GPO is linked. It sounds like you
    might only have the computer account in the OU and the user is somewhere
    else and as such, not receiving the policy.

    You can run the following at a command prompt to see what is applied and
    from where:

    gpresult /z

    I often output it to a text file and read in notepad

    gpresult /z > gp.txt

    It's useful because (for the computer and the user) it tells you which which
    OU you're in, which GPO's were applied, which were filtered out and why, and
    the specific settings effected by policy and which specific GPO they were
    applied from.

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email: markreno@online.microsoft.com

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "David" <David@discussions.microsoft.com> wrote in message
    news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
    > hi!
    >
    > I configured some of the settings in the computer configuration(OfficeXP
    > administrative point) and user configuration(don't run this windows
    > application). The don't run this application part doesn't work but the
    > computer configuration part is functioning well. Any idea what's the
    > problem? is it becoz the same GPO can't have both user and computer
    > configuration configured?
    >
    > Thks!
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    hi!

    i don't quite get you on
    "you might only have the computer account in the OU and the user is somewhere
    else and as such, not receiving the policy." For my current config, the objects in that OU are computer not user. Do, you meant i need to ceate the user name in that OU as well?

    I've tried the gpresult command. The testxp-user gpo is applied. Followings is the output :

    he user received "Registry" settings from these GPOs:

    Default Domain Policy


    ###############################################################

    Computer Group Policy results for:

    CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com

    Domain Name: SMCSG
    Domain Type: Windows 2000
    Site Name: 6th-Serangoon


    The computer is a member of the following security groups:

    BUILTIN\Administrators
    \Everyone
    OIP-DESKTOP-012\Debugger Users
    BUILTIN\Users
    SMCSG\OIP-DESKTOP-012$
    SMCSG\Domain Computers
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users

    ###############################################################

    Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21 AM
    Group Policy was applied from: smcsg-pdc.smcsg.com


    ===============================================================


    The computer received "Registry" settings from these GPOs:

    Local Group Policy
    Default Domain Policy


    ===============================================================
    The computer received "Security" settings from these GPOs:

    Local Group Policy
    Default Domain Policy


    ===============================================================
    The computer received "EFS recovery" settings from these GPOs:

    Local Group Policy
    Default Domain Policy
    testxp-user


    ===============================================================
    The computer received "Application Management" settings from these GPOs:

    testxp-user


    "Mark Renoden [MSFT]" wrote:

    > Hi David
    >
    > The Computer Configuration portion applies to computers that reside in the
    > OU to which the GPO is linked. The User Configuration portion applies to
    > users that reside in the OU to which the GPO is linked. It sounds like you
    > might only have the computer account in the OU and the user is somewhere
    > else and as such, not receiving the policy.
    >
    > You can run the following at a command prompt to see what is applied and
    > from where:
    >
    > gpresult /z
    >
    > I often output it to a text file and read in notepad
    >
    > gpresult /z > gp.txt
    >
    > It's useful because (for the computer and the user) it tells you which which
    > OU you're in, which GPO's were applied, which were filtered out and why, and
    > the specific settings effected by policy and which specific GPO they were
    > applied from.
    >
    > Kind regards
    > --
    > Mark Renoden [MSFT]
    > Windows Platform Support Team
    > Email: markreno@online.microsoft.com
    >
    > Please note you'll need to strip ".online" from my email address to email
    > me; I'll post a response back to the group.
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    > "David" <David@discussions.microsoft.com> wrote in message
    > news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
    > > hi!
    > >
    > > I configured some of the settings in the computer configuration(OfficeXP
    > > administrative point) and user configuration(don't run this windows
    > > application). The don't run this application part doesn't work but the
    > > computer configuration part is functioning well. Any idea what's the
    > > problem? is it becoz the same GPO can't have both user and computer
    > > configuration configured?
    > >
    > > Thks!
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi David

    If you only have the computer account in the OU, the User Configuration half
    of the policy won't apply. If you want the User Configuration portion to
    apply to the user who is logging in, that user must reside in that OU.
    Alternatively, don't set User Configuration options in that policy and
    instead create another policy linked to the OU in which the user resides.

    In summary, Computer Configuration only applies to computers and User
    Configuration to users. The computers or users must be in the OU (or in the
    OU heirarchy below) to which the GPO is linked for it to apply.

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email: markreno@online.microsoft.com

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "David" <David@discussions.microsoft.com> wrote in message
    news:CF554F40-71C1-420E-9EEC-9CF79FF5F234@microsoft.com...
    > hi!
    >
    > i don't quite get you on
    > "you might only have the computer account in the OU and the user is
    > somewhere
    > else and as such, not receiving the policy." For my current config, the
    > objects in that OU are computer not user. Do, you meant i need to ceate
    > the user name in that OU as well?
    >
    > I've tried the gpresult command. The testxp-user gpo is applied.
    > Followings is the output :
    >
    > he user received "Registry" settings from these GPOs:
    >
    > Default Domain Policy
    >
    >
    >
    > ###############################################################
    >
    > Computer Group Policy results for:
    >
    > CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com
    >
    > Domain Name: SMCSG
    > Domain Type: Windows 2000
    > Site Name: 6th-Serangoon
    >
    >
    > The computer is a member of the following security groups:
    >
    > BUILTIN\Administrators
    > \Everyone
    > OIP-DESKTOP-012\Debugger Users
    > BUILTIN\Users
    > SMCSG\OIP-DESKTOP-012$
    > SMCSG\Domain Computers
    > NT AUTHORITY\NETWORK
    > NT AUTHORITY\Authenticated Users
    >
    > ###############################################################
    >
    > Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21 AM
    > Group Policy was applied from: smcsg-pdc.smcsg.com
    >
    >
    > ===============================================================
    >
    >
    > The computer received "Registry" settings from these GPOs:
    >
    > Local Group Policy
    > Default Domain Policy
    >
    >
    > ===============================================================
    > The computer received "Security" settings from these GPOs:
    >
    > Local Group Policy
    > Default Domain Policy
    >
    >
    > ===============================================================
    > The computer received "EFS recovery" settings from these GPOs:
    >
    > Local Group Policy
    > Default Domain Policy
    > testxp-user
    >
    >
    > ===============================================================
    > The computer received "Application Management" settings from these GPOs:
    >
    > testxp-user
    >
    >
    > "Mark Renoden [MSFT]" wrote:
    >
    >> Hi David
    >>
    >> The Computer Configuration portion applies to computers that reside in
    >> the
    >> OU to which the GPO is linked. The User Configuration portion applies to
    >> users that reside in the OU to which the GPO is linked. It sounds like
    >> you
    >> might only have the computer account in the OU and the user is somewhere
    >> else and as such, not receiving the policy.
    >>
    >> You can run the following at a command prompt to see what is applied and
    >> from where:
    >>
    >> gpresult /z
    >>
    >> I often output it to a text file and read in notepad
    >>
    >> gpresult /z > gp.txt
    >>
    >> It's useful because (for the computer and the user) it tells you which
    >> which
    >> OU you're in, which GPO's were applied, which were filtered out and why,
    >> and
    >> the specific settings effected by policy and which specific GPO they were
    >> applied from.
    >>
    >> Kind regards
    >> --
    >> Mark Renoden [MSFT]
    >> Windows Platform Support Team
    >> Email: markreno@online.microsoft.com
    >>
    >> Please note you'll need to strip ".online" from my email address to email
    >> me; I'll post a response back to the group.
    >>
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >>
    >> "David" <David@discussions.microsoft.com> wrote in message
    >> news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
    >> > hi!
    >> >
    >> > I configured some of the settings in the computer
    >> > configuration(OfficeXP
    >> > administrative point) and user configuration(don't run this windows
    >> > application). The don't run this application part doesn't work but the
    >> > computer configuration part is functioning well. Any idea what's the
    >> > problem? is it becoz the same GPO can't have both user and computer
    >> > configuration configured?
    >> >
    >> > Thks!
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    hi! Got it Thks!
    another question is that from the output of the gpresult command below

    The computer received "EFS recovery" settings from these GPOs:
    >
    > Local Group Policy
    > Default Domain Policy
    > testxp-user

    Will there be any effect to the testxp user if i made some settings changes to the Local group policy or default domain policy such as diable control panel, but in testsp-user this option is not configured. The final result will it apply the disable control panel option?


    "Mark Renoden [MSFT]" wrote:

    > Hi David
    >
    > If you only have the computer account in the OU, the User Configuration half
    > of the policy won't apply. If you want the User Configuration portion to
    > apply to the user who is logging in, that user must reside in that OU.
    > Alternatively, don't set User Configuration options in that policy and
    > instead create another policy linked to the OU in which the user resides.
    >
    > In summary, Computer Configuration only applies to computers and User
    > Configuration to users. The computers or users must be in the OU (or in the
    > OU heirarchy below) to which the GPO is linked for it to apply.
    >
    > Kind regards
    > --
    > Mark Renoden [MSFT]
    > Windows Platform Support Team
    > Email: markreno@online.microsoft.com
    >
    > Please note you'll need to strip ".online" from my email address to email
    > me; I'll post a response back to the group.
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    > "David" <David@discussions.microsoft.com> wrote in message
    > news:CF554F40-71C1-420E-9EEC-9CF79FF5F234@microsoft.com...
    > > hi!
    > >
    > > i don't quite get you on
    > > "you might only have the computer account in the OU and the user is
    > > somewhere
    > > else and as such, not receiving the policy." For my current config, the
    > > objects in that OU are computer not user. Do, you meant i need to ceate
    > > the user name in that OU as well?
    > >
    > > I've tried the gpresult command. The testxp-user gpo is applied.
    > > Followings is the output :
    > >
    > > he user received "Registry" settings from these GPOs:
    > >
    > > Default Domain Policy
    > >
    > >
    > >
    > > ###############################################################
    > >
    > > Computer Group Policy results for:
    > >
    > > CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com
    > >
    > > Domain Name: SMCSG
    > > Domain Type: Windows 2000
    > > Site Name: 6th-Serangoon
    > >
    > >
    > > The computer is a member of the following security groups:
    > >
    > > BUILTIN\Administrators
    > > \Everyone
    > > OIP-DESKTOP-012\Debugger Users
    > > BUILTIN\Users
    > > SMCSG\OIP-DESKTOP-012$
    > > SMCSG\Domain Computers
    > > NT AUTHORITY\NETWORK
    > > NT AUTHORITY\Authenticated Users
    > >
    > > ###############################################################
    > >
    > > Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21 AM
    > > Group Policy was applied from: smcsg-pdc.smcsg.com
    > >
    > >
    > > ===============================================================
    > >
    > >
    > > The computer received "Registry" settings from these GPOs:
    > >
    > > Local Group Policy
    > > Default Domain Policy
    > >
    > >
    > > ===============================================================
    > > The computer received "Security" settings from these GPOs:
    > >
    > > Local Group Policy
    > > Default Domain Policy
    > >
    > >
    > > ===============================================================
    > > The computer received "EFS recovery" settings from these GPOs:
    > >
    > > Local Group Policy
    > > Default Domain Policy
    > > testxp-user
    > >
    > >
    > > ===============================================================
    > > The computer received "Application Management" settings from these GPOs:
    > >
    > > testxp-user
    > >
    > >
    > > "Mark Renoden [MSFT]" wrote:
    > >
    > >> Hi David
    > >>
    > >> The Computer Configuration portion applies to computers that reside in
    > >> the
    > >> OU to which the GPO is linked. The User Configuration portion applies to
    > >> users that reside in the OU to which the GPO is linked. It sounds like
    > >> you
    > >> might only have the computer account in the OU and the user is somewhere
    > >> else and as such, not receiving the policy.
    > >>
    > >> You can run the following at a command prompt to see what is applied and
    > >> from where:
    > >>
    > >> gpresult /z
    > >>
    > >> I often output it to a text file and read in notepad
    > >>
    > >> gpresult /z > gp.txt
    > >>
    > >> It's useful because (for the computer and the user) it tells you which
    > >> which
    > >> OU you're in, which GPO's were applied, which were filtered out and why,
    > >> and
    > >> the specific settings effected by policy and which specific GPO they were
    > >> applied from.
    > >>
    > >> Kind regards
    > >> --
    > >> Mark Renoden [MSFT]
    > >> Windows Platform Support Team
    > >> Email: markreno@online.microsoft.com
    > >>
    > >> Please note you'll need to strip ".online" from my email address to email
    > >> me; I'll post a response back to the group.
    > >>
    > >> This posting is provided "AS IS" with no warranties, and confers no
    > >> rights.
    > >>
    > >> "David" <David@discussions.microsoft.com> wrote in message
    > >> news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
    > >> > hi!
    > >> >
    > >> > I configured some of the settings in the computer
    > >> > configuration(OfficeXP
    > >> > administrative point) and user configuration(don't run this windows
    > >> > application). The don't run this application part doesn't work but the
    > >> > computer configuration part is functioning well. Any idea what's the
    > >> > problem? is it becoz the same GPO can't have both user and computer
    > >> > configuration configured?
    > >> >
    > >> > Thks!
    > >>
    > >>
    > >>
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi David

    Referring to:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=D26E88BC-D445-4E8F-AA4E-B9C27061F7CA&displaylang=en

    ++++++++++++++++++++++

    Group Policy Processing

    As described earlier in this paper, Group Policy is processed in the
    following order: Local Group Policy Object (Local GPO), then GPOs linked to
    containers in this order: site, domain, and organizational units, including
    any nested organizational units (starting with the organizational unit
    further from the user or computer object). This means that the local Group
    Policy Object is processed first, and the organizational unit to which the
    computer or user belongs (the one that it is a direct member of) is
    processed last. All of this is subject to the following conditions:

    .. WMI or security filtering that has been applied to GPOs.
    .. Any domain-based GPO (not local GPO) may be enforced by using the Enforce
    option so that its policies cannot be overwritten. When more than one GPO
    has been marked as enforced, the GPO that is highest in Active Directory
    hierarchy takes precedence.
    .. At any domain or organizational unit, Group Policy inheritance may be
    selectively designated as Block Inheritance. However, blocking inheritance
    does not prevent policy from enforced GPOs from applying; this is because
    enforced GPOs are always applied, and cannot be blocked.

    Note: Every computer has a single local GPO that is always processed
    regardless of whether the computer is part of a domain or is a stand-alone
    computer. The Local GPO can't be blocked by domain-based GPOs. However,
    settings in domain GPOs always take precedence since they are processed
    after the Local GPO.

    ++++++++++++++++++++++

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email: markreno@online.microsoft.com

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "David" <David@discussions.microsoft.com> wrote in message
    news:603E70F9-0D7E-4A3E-8338-90F6078E0350@microsoft.com...
    > hi! Got it Thks!
    > another question is that from the output of the gpresult command below
    >
    > The computer received "EFS recovery" settings from these GPOs:
    >>
    >> Local Group Policy
    >> Default Domain Policy
    >> testxp-user
    >
    > Will there be any effect to the testxp user if i made some settings
    > changes to the Local group policy or default domain policy such as diable
    > control panel, but in testsp-user this option is not configured. The final
    > result will it apply the disable control panel option?
    >
    >
    > "Mark Renoden [MSFT]" wrote:
    >
    >> Hi David
    >>
    >> If you only have the computer account in the OU, the User Configuration
    >> half
    >> of the policy won't apply. If you want the User Configuration portion to
    >> apply to the user who is logging in, that user must reside in that OU.
    >> Alternatively, don't set User Configuration options in that policy and
    >> instead create another policy linked to the OU in which the user resides.
    >>
    >> In summary, Computer Configuration only applies to computers and User
    >> Configuration to users. The computers or users must be in the OU (or in
    >> the
    >> OU heirarchy below) to which the GPO is linked for it to apply.
    >>
    >> Kind regards
    >> --
    >> Mark Renoden [MSFT]
    >> Windows Platform Support Team
    >> Email: markreno@online.microsoft.com
    >>
    >> Please note you'll need to strip ".online" from my email address to email
    >> me; I'll post a response back to the group.
    >>
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >>
    >> "David" <David@discussions.microsoft.com> wrote in message
    >> news:CF554F40-71C1-420E-9EEC-9CF79FF5F234@microsoft.com...
    >> > hi!
    >> >
    >> > i don't quite get you on
    >> > "you might only have the computer account in the OU and the user is
    >> > somewhere
    >> > else and as such, not receiving the policy." For my current config, the
    >> > objects in that OU are computer not user. Do, you meant i need to ceate
    >> > the user name in that OU as well?
    >> >
    >> > I've tried the gpresult command. The testxp-user gpo is applied.
    >> > Followings is the output :
    >> >
    >> > he user received "Registry" settings from these GPOs:
    >> >
    >> > Default Domain Policy
    >> >
    >> >
    >> >
    >> > ###############################################################
    >> >
    >> > Computer Group Policy results for:
    >> >
    >> > CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com
    >> >
    >> > Domain Name: SMCSG
    >> > Domain Type: Windows 2000
    >> > Site Name: 6th-Serangoon
    >> >
    >> >
    >> > The computer is a member of the following security groups:
    >> >
    >> > BUILTIN\Administrators
    >> > \Everyone
    >> > OIP-DESKTOP-012\Debugger Users
    >> > BUILTIN\Users
    >> > SMCSG\OIP-DESKTOP-012$
    >> > SMCSG\Domain Computers
    >> > NT AUTHORITY\NETWORK
    >> > NT AUTHORITY\Authenticated Users
    >> >
    >> > ###############################################################
    >> >
    >> > Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21
    >> > AM
    >> > Group Policy was applied from: smcsg-pdc.smcsg.com
    >> >
    >> >
    >> > ===============================================================
    >> >
    >> >
    >> > The computer received "Registry" settings from these GPOs:
    >> >
    >> > Local Group Policy
    >> > Default Domain Policy
    >> >
    >> >
    >> > ===============================================================
    >> > The computer received "Security" settings from these GPOs:
    >> >
    >> > Local Group Policy
    >> > Default Domain Policy
    >> >
    >> >
    >> > ===============================================================
    >> > The computer received "EFS recovery" settings from these GPOs:
    >> >
    >> > Local Group Policy
    >> > Default Domain Policy
    >> > testxp-user
    >> >
    >> >
    >> > ===============================================================
    >> > The computer received "Application Management" settings from these
    >> > GPOs:
    >> >
    >> > testxp-user
    >> >
    >> >
    >> > "Mark Renoden [MSFT]" wrote:
    >> >
    >> >> Hi David
    >> >>
    >> >> The Computer Configuration portion applies to computers that reside in
    >> >> the
    >> >> OU to which the GPO is linked. The User Configuration portion applies
    >> >> to
    >> >> users that reside in the OU to which the GPO is linked. It sounds
    >> >> like
    >> >> you
    >> >> might only have the computer account in the OU and the user is
    >> >> somewhere
    >> >> else and as such, not receiving the policy.
    >> >>
    >> >> You can run the following at a command prompt to see what is applied
    >> >> and
    >> >> from where:
    >> >>
    >> >> gpresult /z
    >> >>
    >> >> I often output it to a text file and read in notepad
    >> >>
    >> >> gpresult /z > gp.txt
    >> >>
    >> >> It's useful because (for the computer and the user) it tells you which
    >> >> which
    >> >> OU you're in, which GPO's were applied, which were filtered out and
    >> >> why,
    >> >> and
    >> >> the specific settings effected by policy and which specific GPO they
    >> >> were
    >> >> applied from.
    >> >>
    >> >> Kind regards
    >> >> --
    >> >> Mark Renoden [MSFT]
    >> >> Windows Platform Support Team
    >> >> Email: markreno@online.microsoft.com
    >> >>
    >> >> Please note you'll need to strip ".online" from my email address to
    >> >> email
    >> >> me; I'll post a response back to the group.
    >> >>
    >> >> This posting is provided "AS IS" with no warranties, and confers no
    >> >> rights.
    >> >>
    >> >> "David" <David@discussions.microsoft.com> wrote in message
    >> >> news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
    >> >> > hi!
    >> >> >
    >> >> > I configured some of the settings in the computer
    >> >> > configuration(OfficeXP
    >> >> > administrative point) and user configuration(don't run this windows
    >> >> > application). The don't run this application part doesn't work but
    >> >> > the
    >> >> > computer configuration part is functioning well. Any idea what's the
    >> >> > problem? is it becoz the same GPO can't have both user and computer
    >> >> > configuration configured?
    >> >> >
    >> >> > Thks!
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>
Ask a new question

Read More

Configuration Computers Windows