Sign in with
Sign up | Sign in
Your question

GPO Question

Last response: in Windows 2000/NT
Share
July 7, 2004 11:57:01 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

hi!

I configured some of the settings in the computer configuration(OfficeXP administrative point) and user configuration(don't run this windows application). The don't run this application part doesn't work but the computer configuration part is functioning well. Any idea what's the problem? is it becoz the same GPO can't have both user and computer configuration configured?

Thks!

More about : gpo question

Anonymous
July 8, 2004 12:51:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi David

The Computer Configuration portion applies to computers that reside in the
OU to which the GPO is linked. The User Configuration portion applies to
users that reside in the OU to which the GPO is linked. It sounds like you
might only have the computer account in the OU and the user is somewhere
else and as such, not receiving the policy.

You can run the following at a command prompt to see what is applied and
from where:

gpresult /z

I often output it to a text file and read in notepad

gpresult /z > gp.txt

It's useful because (for the computer and the user) it tells you which which
OU you're in, which GPO's were applied, which were filtered out and why, and
the specific settings effected by policy and which specific GPO they were
applied from.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"David" <David@discussions.microsoft.com> wrote in message
news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
> hi!
>
> I configured some of the settings in the computer configuration(OfficeXP
> administrative point) and user configuration(don't run this windows
> application). The don't run this application part doesn't work but the
> computer configuration part is functioning well. Any idea what's the
> problem? is it becoz the same GPO can't have both user and computer
> configuration configured?
>
> Thks!
July 8, 2004 12:51:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

hi!

i don't quite get you on
"you might only have the computer account in the OU and the user is somewhere
else and as such, not receiving the policy." For my current config, the objects in that OU are computer not user. Do, you meant i need to ceate the user name in that OU as well?

I've tried the gpresult command. The testxp-user gpo is applied. Followings is the output :

he user received "Registry" settings from these GPOs:

Default Domain Policy



###############################################################

Computer Group Policy results for:

CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com

Domain Name: SMCSG
Domain Type: Windows 2000
Site Name: 6th-Serangoon


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
OIP-DESKTOP-012\Debugger Users
BUILTIN\Users
SMCSG\OIP-DESKTOP-012$
SMCSG\Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21 AM
Group Policy was applied from: smcsg-pdc.smcsg.com


===============================================================


The computer received "Registry" settings from these GPOs:

Local Group Policy
Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Default Domain Policy
testxp-user


===============================================================
The computer received "Application Management" settings from these GPOs:

testxp-user


"Mark Renoden [MSFT]" wrote:

> Hi David
>
> The Computer Configuration portion applies to computers that reside in the
> OU to which the GPO is linked. The User Configuration portion applies to
> users that reside in the OU to which the GPO is linked. It sounds like you
> might only have the computer account in the OU and the user is somewhere
> else and as such, not receiving the policy.
>
> You can run the following at a command prompt to see what is applied and
> from where:
>
> gpresult /z
>
> I often output it to a text file and read in notepad
>
> gpresult /z > gp.txt
>
> It's useful because (for the computer and the user) it tells you which which
> OU you're in, which GPO's were applied, which were filtered out and why, and
> the specific settings effected by policy and which specific GPO they were
> applied from.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "David" <David@discussions.microsoft.com> wrote in message
> news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
> > hi!
> >
> > I configured some of the settings in the computer configuration(OfficeXP
> > administrative point) and user configuration(don't run this windows
> > application). The don't run this application part doesn't work but the
> > computer configuration part is functioning well. Any idea what's the
> > problem? is it becoz the same GPO can't have both user and computer
> > configuration configured?
> >
> > Thks!
>
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
July 9, 2004 11:55:35 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi David

If you only have the computer account in the OU, the User Configuration half
of the policy won't apply. If you want the User Configuration portion to
apply to the user who is logging in, that user must reside in that OU.
Alternatively, don't set User Configuration options in that policy and
instead create another policy linked to the OU in which the user resides.

In summary, Computer Configuration only applies to computers and User
Configuration to users. The computers or users must be in the OU (or in the
OU heirarchy below) to which the GPO is linked for it to apply.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"David" <David@discussions.microsoft.com> wrote in message
news:CF554F40-71C1-420E-9EEC-9CF79FF5F234@microsoft.com...
> hi!
>
> i don't quite get you on
> "you might only have the computer account in the OU and the user is
> somewhere
> else and as such, not receiving the policy." For my current config, the
> objects in that OU are computer not user. Do, you meant i need to ceate
> the user name in that OU as well?
>
> I've tried the gpresult command. The testxp-user gpo is applied.
> Followings is the output :
>
> he user received "Registry" settings from these GPOs:
>
> Default Domain Policy
>
>
>
> ###############################################################
>
> Computer Group Policy results for:
>
> CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com
>
> Domain Name: SMCSG
> Domain Type: Windows 2000
> Site Name: 6th-Serangoon
>
>
> The computer is a member of the following security groups:
>
> BUILTIN\Administrators
> \Everyone
> OIP-DESKTOP-012\Debugger Users
> BUILTIN\Users
> SMCSG\OIP-DESKTOP-012$
> SMCSG\Domain Computers
> NT AUTHORITY\NETWORK
> NT AUTHORITY\Authenticated Users
>
> ###############################################################
>
> Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21 AM
> Group Policy was applied from: smcsg-pdc.smcsg.com
>
>
> ===============================================================
>
>
> The computer received "Registry" settings from these GPOs:
>
> Local Group Policy
> Default Domain Policy
>
>
> ===============================================================
> The computer received "Security" settings from these GPOs:
>
> Local Group Policy
> Default Domain Policy
>
>
> ===============================================================
> The computer received "EFS recovery" settings from these GPOs:
>
> Local Group Policy
> Default Domain Policy
> testxp-user
>
>
> ===============================================================
> The computer received "Application Management" settings from these GPOs:
>
> testxp-user
>
>
> "Mark Renoden [MSFT]" wrote:
>
>> Hi David
>>
>> The Computer Configuration portion applies to computers that reside in
>> the
>> OU to which the GPO is linked. The User Configuration portion applies to
>> users that reside in the OU to which the GPO is linked. It sounds like
>> you
>> might only have the computer account in the OU and the user is somewhere
>> else and as such, not receiving the policy.
>>
>> You can run the following at a command prompt to see what is applied and
>> from where:
>>
>> gpresult /z
>>
>> I often output it to a text file and read in notepad
>>
>> gpresult /z > gp.txt
>>
>> It's useful because (for the computer and the user) it tells you which
>> which
>> OU you're in, which GPO's were applied, which were filtered out and why,
>> and
>> the specific settings effected by policy and which specific GPO they were
>> applied from.
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "David" <David@discussions.microsoft.com> wrote in message
>> news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
>> > hi!
>> >
>> > I configured some of the settings in the computer
>> > configuration(OfficeXP
>> > administrative point) and user configuration(don't run this windows
>> > application). The don't run this application part doesn't work but the
>> > computer configuration part is functioning well. Any idea what's the
>> > problem? is it becoz the same GPO can't have both user and computer
>> > configuration configured?
>> >
>> > Thks!
>>
>>
>>
July 9, 2004 11:55:36 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

hi! Got it Thks!
another question is that from the output of the gpresult command below

The computer received "EFS recovery" settings from these GPOs:
>
> Local Group Policy
> Default Domain Policy
> testxp-user

Will there be any effect to the testxp user if i made some settings changes to the Local group policy or default domain policy such as diable control panel, but in testsp-user this option is not configured. The final result will it apply the disable control panel option?


"Mark Renoden [MSFT]" wrote:

> Hi David
>
> If you only have the computer account in the OU, the User Configuration half
> of the policy won't apply. If you want the User Configuration portion to
> apply to the user who is logging in, that user must reside in that OU.
> Alternatively, don't set User Configuration options in that policy and
> instead create another policy linked to the OU in which the user resides.
>
> In summary, Computer Configuration only applies to computers and User
> Configuration to users. The computers or users must be in the OU (or in the
> OU heirarchy below) to which the GPO is linked for it to apply.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "David" <David@discussions.microsoft.com> wrote in message
> news:CF554F40-71C1-420E-9EEC-9CF79FF5F234@microsoft.com...
> > hi!
> >
> > i don't quite get you on
> > "you might only have the computer account in the OU and the user is
> > somewhere
> > else and as such, not receiving the policy." For my current config, the
> > objects in that OU are computer not user. Do, you meant i need to ceate
> > the user name in that OU as well?
> >
> > I've tried the gpresult command. The testxp-user gpo is applied.
> > Followings is the output :
> >
> > he user received "Registry" settings from these GPOs:
> >
> > Default Domain Policy
> >
> >
> >
> > ###############################################################
> >
> > Computer Group Policy results for:
> >
> > CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com
> >
> > Domain Name: SMCSG
> > Domain Type: Windows 2000
> > Site Name: 6th-Serangoon
> >
> >
> > The computer is a member of the following security groups:
> >
> > BUILTIN\Administrators
> > \Everyone
> > OIP-DESKTOP-012\Debugger Users
> > BUILTIN\Users
> > SMCSG\OIP-DESKTOP-012$
> > SMCSG\Domain Computers
> > NT AUTHORITY\NETWORK
> > NT AUTHORITY\Authenticated Users
> >
> > ###############################################################
> >
> > Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21 AM
> > Group Policy was applied from: smcsg-pdc.smcsg.com
> >
> >
> > ===============================================================
> >
> >
> > The computer received "Registry" settings from these GPOs:
> >
> > Local Group Policy
> > Default Domain Policy
> >
> >
> > ===============================================================
> > The computer received "Security" settings from these GPOs:
> >
> > Local Group Policy
> > Default Domain Policy
> >
> >
> > ===============================================================
> > The computer received "EFS recovery" settings from these GPOs:
> >
> > Local Group Policy
> > Default Domain Policy
> > testxp-user
> >
> >
> > ===============================================================
> > The computer received "Application Management" settings from these GPOs:
> >
> > testxp-user
> >
> >
> > "Mark Renoden [MSFT]" wrote:
> >
> >> Hi David
> >>
> >> The Computer Configuration portion applies to computers that reside in
> >> the
> >> OU to which the GPO is linked. The User Configuration portion applies to
> >> users that reside in the OU to which the GPO is linked. It sounds like
> >> you
> >> might only have the computer account in the OU and the user is somewhere
> >> else and as such, not receiving the policy.
> >>
> >> You can run the following at a command prompt to see what is applied and
> >> from where:
> >>
> >> gpresult /z
> >>
> >> I often output it to a text file and read in notepad
> >>
> >> gpresult /z > gp.txt
> >>
> >> It's useful because (for the computer and the user) it tells you which
> >> which
> >> OU you're in, which GPO's were applied, which were filtered out and why,
> >> and
> >> the specific settings effected by policy and which specific GPO they were
> >> applied from.
> >>
> >> Kind regards
> >> --
> >> Mark Renoden [MSFT]
> >> Windows Platform Support Team
> >> Email: markreno@online.microsoft.com
> >>
> >> Please note you'll need to strip ".online" from my email address to email
> >> me; I'll post a response back to the group.
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "David" <David@discussions.microsoft.com> wrote in message
> >> news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
> >> > hi!
> >> >
> >> > I configured some of the settings in the computer
> >> > configuration(OfficeXP
> >> > administrative point) and user configuration(don't run this windows
> >> > application). The don't run this application part doesn't work but the
> >> > computer configuration part is functioning well. Any idea what's the
> >> > problem? is it becoz the same GPO can't have both user and computer
> >> > configuration configured?
> >> >
> >> > Thks!
> >>
> >>
> >>
>
>
>
Anonymous
July 12, 2004 12:49:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi David

Referring to:

http://www.microsoft.com/downloads/details.aspx?FamilyI...

++++++++++++++++++++++

Group Policy Processing

As described earlier in this paper, Group Policy is processed in the
following order: Local Group Policy Object (Local GPO), then GPOs linked to
containers in this order: site, domain, and organizational units, including
any nested organizational units (starting with the organizational unit
further from the user or computer object). This means that the local Group
Policy Object is processed first, and the organizational unit to which the
computer or user belongs (the one that it is a direct member of) is
processed last. All of this is subject to the following conditions:

.. WMI or security filtering that has been applied to GPOs.
.. Any domain-based GPO (not local GPO) may be enforced by using the Enforce
option so that its policies cannot be overwritten. When more than one GPO
has been marked as enforced, the GPO that is highest in Active Directory
hierarchy takes precedence.
.. At any domain or organizational unit, Group Policy inheritance may be
selectively designated as Block Inheritance. However, blocking inheritance
does not prevent policy from enforced GPOs from applying; this is because
enforced GPOs are always applied, and cannot be blocked.

Note: Every computer has a single local GPO that is always processed
regardless of whether the computer is part of a domain or is a stand-alone
computer. The Local GPO can't be blocked by domain-based GPOs. However,
settings in domain GPOs always take precedence since they are processed
after the Local GPO.

++++++++++++++++++++++

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.



"David" <David@discussions.microsoft.com> wrote in message
news:603E70F9-0D7E-4A3E-8338-90F6078E0350@microsoft.com...
> hi! Got it Thks!
> another question is that from the output of the gpresult command below
>
> The computer received "EFS recovery" settings from these GPOs:
>>
>> Local Group Policy
>> Default Domain Policy
>> testxp-user
>
> Will there be any effect to the testxp user if i made some settings
> changes to the Local group policy or default domain policy such as diable
> control panel, but in testsp-user this option is not configured. The final
> result will it apply the disable control panel option?
>
>
> "Mark Renoden [MSFT]" wrote:
>
>> Hi David
>>
>> If you only have the computer account in the OU, the User Configuration
>> half
>> of the policy won't apply. If you want the User Configuration portion to
>> apply to the user who is logging in, that user must reside in that OU.
>> Alternatively, don't set User Configuration options in that policy and
>> instead create another policy linked to the OU in which the user resides.
>>
>> In summary, Computer Configuration only applies to computers and User
>> Configuration to users. The computers or users must be in the OU (or in
>> the
>> OU heirarchy below) to which the GPO is linked for it to apply.
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "David" <David@discussions.microsoft.com> wrote in message
>> news:CF554F40-71C1-420E-9EEC-9CF79FF5F234@microsoft.com...
>> > hi!
>> >
>> > i don't quite get you on
>> > "you might only have the computer account in the OU and the user is
>> > somewhere
>> > else and as such, not receiving the policy." For my current config, the
>> > objects in that OU are computer not user. Do, you meant i need to ceate
>> > the user name in that OU as well?
>> >
>> > I've tried the gpresult command. The testxp-user gpo is applied.
>> > Followings is the output :
>> >
>> > he user received "Registry" settings from these GPOs:
>> >
>> > Default Domain Policy
>> >
>> >
>> >
>> > ###############################################################
>> >
>> > Computer Group Policy results for:
>> >
>> > CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com
>> >
>> > Domain Name: SMCSG
>> > Domain Type: Windows 2000
>> > Site Name: 6th-Serangoon
>> >
>> >
>> > The computer is a member of the following security groups:
>> >
>> > BUILTIN\Administrators
>> > \Everyone
>> > OIP-DESKTOP-012\Debugger Users
>> > BUILTIN\Users
>> > SMCSG\OIP-DESKTOP-012$
>> > SMCSG\Domain Computers
>> > NT AUTHORITY\NETWORK
>> > NT AUTHORITY\Authenticated Users
>> >
>> > ###############################################################
>> >
>> > Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21
>> > AM
>> > Group Policy was applied from: smcsg-pdc.smcsg.com
>> >
>> >
>> > ===============================================================
>> >
>> >
>> > The computer received "Registry" settings from these GPOs:
>> >
>> > Local Group Policy
>> > Default Domain Policy
>> >
>> >
>> > ===============================================================
>> > The computer received "Security" settings from these GPOs:
>> >
>> > Local Group Policy
>> > Default Domain Policy
>> >
>> >
>> > ===============================================================
>> > The computer received "EFS recovery" settings from these GPOs:
>> >
>> > Local Group Policy
>> > Default Domain Policy
>> > testxp-user
>> >
>> >
>> > ===============================================================
>> > The computer received "Application Management" settings from these
>> > GPOs:
>> >
>> > testxp-user
>> >
>> >
>> > "Mark Renoden [MSFT]" wrote:
>> >
>> >> Hi David
>> >>
>> >> The Computer Configuration portion applies to computers that reside in
>> >> the
>> >> OU to which the GPO is linked. The User Configuration portion applies
>> >> to
>> >> users that reside in the OU to which the GPO is linked. It sounds
>> >> like
>> >> you
>> >> might only have the computer account in the OU and the user is
>> >> somewhere
>> >> else and as such, not receiving the policy.
>> >>
>> >> You can run the following at a command prompt to see what is applied
>> >> and
>> >> from where:
>> >>
>> >> gpresult /z
>> >>
>> >> I often output it to a text file and read in notepad
>> >>
>> >> gpresult /z > gp.txt
>> >>
>> >> It's useful because (for the computer and the user) it tells you which
>> >> which
>> >> OU you're in, which GPO's were applied, which were filtered out and
>> >> why,
>> >> and
>> >> the specific settings effected by policy and which specific GPO they
>> >> were
>> >> applied from.
>> >>
>> >> Kind regards
>> >> --
>> >> Mark Renoden [MSFT]
>> >> Windows Platform Support Team
>> >> Email: markreno@online.microsoft.com
>> >>
>> >> Please note you'll need to strip ".online" from my email address to
>> >> email
>> >> me; I'll post a response back to the group.
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >> "David" <David@discussions.microsoft.com> wrote in message
>> >> news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
>> >> > hi!
>> >> >
>> >> > I configured some of the settings in the computer
>> >> > configuration(OfficeXP
>> >> > administrative point) and user configuration(don't run this windows
>> >> > application). The don't run this application part doesn't work but
>> >> > the
>> >> > computer configuration part is functioning well. Any idea what's the
>> >> > problem? is it becoz the same GPO can't have both user and computer
>> >> > configuration configured?
>> >> >
>> >> > Thks!
>> >>
>> >>
>> >>
>>
>>
>>
!