user settings not applied to computers in ou?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I applied a group policy containing user restrictions to an ou containing
both users and computers. The user restrictions are applied to the ou user
accounts correctly, following the users to whichever machine they logon to.
However, when a user whos account is NOT in this ou logs on to a computer
which IS in the ou, the user restrictions are NOT taking effect. This is my
problem - I want the user restrictions to apply to whoever logs on to the
machines in that ou. What is the proper method for making this happen? I
thought putting machines into the ou would make the user restrictions apply
to them regardless of who logged on but that is not happening.

-frank brown
seattle fire dept
http://www.inwa.net/~frog
3 answers Last reply
More about user settings applied computers
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You should be able to use loopback to apply the user settings to the
    computer itself. That would probably be the best way.
    -Colin Torretta [MSFT]
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks Colin and Mark. I will test loopback mode and implement it if it
    works as advertised, and doesn't impose too much additional processing via
    longer logins.

    -frank

    "frank" <somewhere@rainbow.net> wrote in message
    news:ZA8Md.9$496.90@news-west.eli.net...
    >I applied a group policy containing user restrictions to an ou containing
    >both users and computers. The user restrictions are applied to the ou user
    >accounts correctly, following the users to whichever machine they logon to.
    >However, when a user whos account is NOT in this ou logs on to a computer
    >which IS in the ou, the user restrictions are NOT taking effect...
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Frank

    The user configuration portion of a GPO only applies to users who are in the
    OU heirarchy to which the GPO is linked. Similarly, the computer
    configuration portion of a GPO only applies to computers who are in the OU
    heirarchy to which the GPO is linked.

    You can change this behaviour by using policy loopback (as suggested by
    Colin). Policy loopback works as follows:

    1. When the computer boots, the list of GPO's for the computer is gathered
    based on it's location in the Active Directory. This is it's SOM or Scope
    of Management. The list includes GPO's linked to OU's at each level in the
    heirarchy from the OU in which the computer resides all the way up to the
    domain.

    2. The computer configuration settings from this list are applied to the
    computer provided it has permissions to the GPO's.

    3. When the user logs in, different behaviour occurs according to the policy
    loopback settings:

    A. Loopback off - the SOM for the user is calculated and then user
    configuration settings applied according to user permissions. The location
    of the user account in the AD decides entirely which user configuration
    settings are applied.

    B. Loopback merge mode - the SOM for the user is calculated as in A. The
    user configuration settings from this SOM are applied but at a lower
    precedence to the user configuration settings in the computer SOM. Once
    again, user permissions allow or prevent application of these setting
    regardless of whether they came from the user or computer SOM.

    C. Loopback replace mode - the SOM for the user is not considered. The user
    configuration settings are applied from the GPO's in the computer SOM
    provided they have user permissions.

    Depending on the structure of your Active Directory, the use of loopback in
    this situation may not be the best solution. You'd typically use loopback
    for a Terminal Server. You may also want to consider implementing the user
    settings required in a GPO linked higher in the heirarchy. For example:

    OU with GPO for user settings
    |_ OU with users not in the same OU as the computers
    |_ OU with users and computers as you've described. GPO with only
    computer settings.

    HTH
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email: markreno@online.microsoft.com

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "frank" <somewhere@rainbow.net> wrote in message
    news:ZA8Md.9$496.90@news-west.eli.net...
    >I applied a group policy containing user restrictions to an ou containing
    >both users and computers. The user restrictions are applied to the ou user
    >accounts correctly, following the users to whichever machine they logon to.
    >However, when a user whos account is NOT in this ou logs on to a computer
    >which IS in the ou, the user restrictions are NOT taking effect. This is
    >my problem - I want the user restrictions to apply to whoever logs on to
    >the machines in that ou. What is the proper method for making this happen?
    >I thought putting machines into the ou would make the user restrictions
    >apply to them regardless of who logged on but that is not happening.
    >
    > -frank brown
    > seattle fire dept
    > http://www.inwa.net/~frog
    >
Ask a new question

Read More

Policy Computers Windows