Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (
More info?)
Thank you, you have been a great help.
Mike
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eDLPxS3qEHA.2948@TK2MSFTNGP11.phx.gbl...
> The only role of groups for triggering GPO application
> is security group filtering, which is the use of the group
> to grant read and apply permissions to the GPO.
> A group in an OU never has any meaning relative to
> application of GPO.
> I was imprecise in the mention of loopback processing.
> In a GPO's computer section, under Group Policy (dig in)
> you will find policy to enable loopback processing. When
> enabled, and GPO is linked to OU containing the computer
> object (so computer section is applied), then if the user
> that is logging in is a member of a group granted read and
> apply (or is granted directly) then the User section will be
> processed even though the user object is not within the OU.
> --
> Roger
> "Mike" <mrfaber@att.net> wrote in message
> news:ubJfPnuqEHA.3868@TK2MSFTNGP15.phx.gbl...
>> Thank you for the response.
>>
>> You mentioned that placing a security group into the OU has no effect on
> the
>> procession of GPO. What about distribution groups? Can I assign
>> users/computers to a distribution group that is in the OU even if the
> actual
>> user object is not in the OU? Also, where is the loopback processing
> policy
>> located? Does loopback processing allow a computer to trigger the user
>> config also?
>>
>> Mike
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:%23oBiOjuqEHA.3700@TK2MSFTNGP15.phx.gbl...
>> >A GPO consists of a Computer portion and a User portion,
>> > each with many policies.
>> > A GPO linked to an OU will apply User settings to User
>> > account objects in that OU, and will apply Computer settings
>> > to computer objects in that OU.
>> > Placing a security group into the OU has no effect on the
>> > procession of GPO.
>> > The above application of computer and user settings can be
>> > modified by the use of loopback processing so that the
>> > computer portion may be applied when triggered by a user
>> > object being subjected to the GPO.
>> > Also, the above computer and user settings application can
>> > be restricted to only some of the computer or the user objects
>> > in the OU by use of a security group to filter to what objects
>> > the GPO is applied, but in this case those objects still need
>> > to be placed within the scope of the GPO's management.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Server System: Security)
>> > MCSE (W2k3,W2k,Nt4) MCDBA
>> > "Mike" <mrfaber@att.net> wrote in message
>> > news:%23P5bOcuqEHA.3728@TK2MSFTNGP09.phx.gbl...
>> >> Hello,
>> >>
>> >> I have been messing around with group policy a little, and have a few
>> > basic
>> >> questions.
>> >>
>> >> First, I have created a new OU wiht an attached GP. Do I need the
> users
>> > to
>> >> be in this container to apply the group policy to them, or can I just
>> >> have
>> > a
>> >> security/distribution group in the OU with members from the Users OU.
>> >>
>> >> Second, If I assign a user to an OU will only the user config apply
> from
>> > the
>> >> GP, or will the computer config apply to whatever computer the user is
>> >> logged onto also. I am having trouble applying the computer config
>> >> unless
>> > I
>> >> add the computer object into the OU.
>> >>
>> >> Mike
>> >>
>> >>
>> >
>> >
>>
>>
>
>