Multiple GPOs for Computer and User OUs?

G

Greg T

I work at a school where there is a Windows 2000 AD
network, and XP Pro clients.

There are four groups of computers, each with their own
OU, and another OU for the group of Students. Students

I would like to apply a GPO to the Students OU locking
their accounts down, no matter where they log in, and I
would like to run login scripts based on what computer
they log into.

I have created a GPO and associated it with the Students
OU, it it's working just fine.

I have created other GPOs for each OU of computers to run
a logon script, but it is not working. Students are able
to browse to the script (located at
\\server\NETLOGON\logon.bat) and run it successfully, but
for some reason the GPO on the PC OUs are not taking
effect.

What am I doing wrong? Is this because I am applying user
configuration settings in a GPO to an OU populated only by
PC accounts?
 
M

Mark Renoden [MSFT]

Hi Greg

You hit the nail on the head. User Configuration settings only apply to
users that reside in the OU heirarchy to which the GPO is linked. If all
you have is computers, User Configuration doesn't apply.

You can change this behaviour by using Policy Loopback:

231287 Loopback Processing of Group Policy
http://support.microsoft.com/?id=231287

By the sounds of your setup, you might want to use this in merge mode. By
doing this, the users get the policy which applies to their OU and if there
are any User Configuration settings applied to the OU's in which the
computers reside, these will apply also. The only things to keep in mind
are:

1. User Configuration settings applied at the computer OU's will override
the policy settings applied to the user OU if there is a conflict.

2. User Configuration settings applied at the computer OU's will apply to
everyone (including administrators) unless you deny "Apply Group Policy" for
them.

There are possibly other ways to approach this depending on your
requirements but this seems like the simplest answer over a newsgroup :)

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO Processing Order and OUs 15
GPOs will not work on OUs 7
Will this work as a first step? 2
What happens if two GPOs are enforced? 1
how to create sub-GPOs 6
Applying group policy based on machine... 7
GPO IE Zone Mapping issue on TS 2
Exclude some users and computers form logout script 2

Top