Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Hi David
Referring to:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D26E88BC-D445-4E8F-AA4E-B9C27061F7CA&displaylang=en
++++++++++++++++++++++
Group Policy Processing
As described earlier in this paper, Group Policy is processed in the
following order: Local Group Policy Object (Local GPO), then GPOs linked to
containers in this order: site, domain, and organizational units, including
any nested organizational units (starting with the organizational unit
further from the user or computer object). This means that the local Group
Policy Object is processed first, and the organizational unit to which the
computer or user belongs (the one that it is a direct member of) is
processed last. All of this is subject to the following conditions:
.. WMI or security filtering that has been applied to GPOs.
.. Any domain-based GPO (not local GPO) may be enforced by using the Enforce
option so that its policies cannot be overwritten. When more than one GPO
has been marked as enforced, the GPO that is highest in Active Directory
hierarchy takes precedence.
.. At any domain or organizational unit, Group Policy inheritance may be
selectively designated as Block Inheritance. However, blocking inheritance
does not prevent policy from enforced GPOs from applying; this is because
enforced GPOs are always applied, and cannot be blocked.
Note: Every computer has a single local GPO that is always processed
regardless of whether the computer is part of a domain or is a stand-alone
computer. The Local GPO can't be blocked by domain-based GPOs. However,
settings in domain GPOs always take precedence since they are processed
after the Local GPO.
++++++++++++++++++++++
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"David" <David@discussions.microsoft.com> wrote in message
news:603E70F9-0D7E-4A3E-8338-90F6078E0350@microsoft.com...
> hi! Got it Thks!
> another question is that from the output of the gpresult command below
>
> The computer received "EFS recovery" settings from these GPOs:
>>
>> Local Group Policy
>> Default Domain Policy
>> testxp-user
>
> Will there be any effect to the testxp user if i made some settings
> changes to the Local group policy or default domain policy such as diable
> control panel, but in testsp-user this option is not configured. The final
> result will it apply the disable control panel option?
>
>
> "Mark Renoden [MSFT]" wrote:
>
>> Hi David
>>
>> If you only have the computer account in the OU, the User Configuration
>> half
>> of the policy won't apply. If you want the User Configuration portion to
>> apply to the user who is logging in, that user must reside in that OU.
>> Alternatively, don't set User Configuration options in that policy and
>> instead create another policy linked to the OU in which the user resides.
>>
>> In summary, Computer Configuration only applies to computers and User
>> Configuration to users. The computers or users must be in the OU (or in
>> the
>> OU heirarchy below) to which the GPO is linked for it to apply.
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "David" <David@discussions.microsoft.com> wrote in message
>> news:CF554F40-71C1-420E-9EEC-9CF79FF5F234@microsoft.com...
>> > hi!
>> >
>> > i don't quite get you on
>> > "you might only have the computer account in the OU and the user is
>> > somewhere
>> > else and as such, not receiving the policy." For my current config, the
>> > objects in that OU are computer not user. Do, you meant i need to ceate
>> > the user name in that OU as well?
>> >
>> > I've tried the gpresult command. The testxp-user gpo is applied.
>> > Followings is the output :
>> >
>> > he user received "Registry" settings from these GPOs:
>> >
>> > Default Domain Policy
>> >
>> >
>> >
>> > ###############################################################
>> >
>> > Computer Group Policy results for:
>> >
>> > CN=OIP-DESKTOP-012,OU=TestOU,DC=smcsg,DC=com
>> >
>> > Domain Name: SMCSG
>> > Domain Type: Windows 2000
>> > Site Name: 6th-Serangoon
>> >
>> >
>> > The computer is a member of the following security groups:
>> >
>> > BUILTIN\Administrators
>> > \Everyone
>> > OIP-DESKTOP-012\Debugger Users
>> > BUILTIN\Users
>> > SMCSG\OIP-DESKTOP-012$
>> > SMCSG\Domain Computers
>> > NT AUTHORITY\NETWORK
>> > NT AUTHORITY\Authenticated Users
>> >
>> > ###############################################################
>> >
>> > Last time Group Policy was applied: Thursday, July 08, 2004 at 10:27:21
>> > AM
>> > Group Policy was applied from: smcsg-pdc.smcsg.com
>> >
>> >
>> > ===============================================================
>> >
>> >
>> > The computer received "Registry" settings from these GPOs:
>> >
>> > Local Group Policy
>> > Default Domain Policy
>> >
>> >
>> > ===============================================================
>> > The computer received "Security" settings from these GPOs:
>> >
>> > Local Group Policy
>> > Default Domain Policy
>> >
>> >
>> > ===============================================================
>> > The computer received "EFS recovery" settings from these GPOs:
>> >
>> > Local Group Policy
>> > Default Domain Policy
>> > testxp-user
>> >
>> >
>> > ===============================================================
>> > The computer received "Application Management" settings from these
>> > GPOs:
>> >
>> > testxp-user
>> >
>> >
>> > "Mark Renoden [MSFT]" wrote:
>> >
>> >> Hi David
>> >>
>> >> The Computer Configuration portion applies to computers that reside in
>> >> the
>> >> OU to which the GPO is linked. The User Configuration portion applies
>> >> to
>> >> users that reside in the OU to which the GPO is linked. It sounds
>> >> like
>> >> you
>> >> might only have the computer account in the OU and the user is
>> >> somewhere
>> >> else and as such, not receiving the policy.
>> >>
>> >> You can run the following at a command prompt to see what is applied
>> >> and
>> >> from where:
>> >>
>> >> gpresult /z
>> >>
>> >> I often output it to a text file and read in notepad
>> >>
>> >> gpresult /z > gp.txt
>> >>
>> >> It's useful because (for the computer and the user) it tells you which
>> >> which
>> >> OU you're in, which GPO's were applied, which were filtered out and
>> >> why,
>> >> and
>> >> the specific settings effected by policy and which specific GPO they
>> >> were
>> >> applied from.
>> >>
>> >> Kind regards
>> >> --
>> >> Mark Renoden [MSFT]
>> >> Windows Platform Support Team
>> >> Email: markreno@online.microsoft.com
>> >>
>> >> Please note you'll need to strip ".online" from my email address to
>> >> email
>> >> me; I'll post a response back to the group.
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >> "David" <David@discussions.microsoft.com> wrote in message
>> >> news:4E5D2F4C-2E59-42B8-BDC4-11E1DF0D78EF@microsoft.com...
>> >> > hi!
>> >> >
>> >> > I configured some of the settings in the computer
>> >> > configuration(OfficeXP
>> >> > administrative point) and user configuration(don't run this windows
>> >> > application). The don't run this application part doesn't work but
>> >> > the
>> >> > computer configuration part is functioning well. Any idea what's the
>> >> > problem? is it becoz the same GPO can't have both user and computer
>> >> > configuration configured?
>> >> >
>> >> > Thks!
>> >>
>> >>
>> >>
>>
>>
>>
Facebook
Twitter
Instagram