GPO Computer Setting - Ccan they be applied to Users ?

[Guest]

We've implemeted GPOs in our environment OK - but have one fundamental
issue. Our AD design is structured by department - so we have for example an
HR OU, an IT OU, a FINANCE OU etc. These OUs contain user objects. We have
not got an OU for computers - the computer objects all reside in a default
container - i understand i can move these object to an OU. This leads on to
my question - can the computer configuration part of a gpo be applied to user
objects ( or rather to OUs that contain user objects - I'm guessing NO - I've
configured a gpo with computer and user settings and applied it to an OU that
contains user objects - only the user configuration gets applied. Am I right
in saying I'll need to configure OUs to put my computer objects in and apply
a GPO that contains the computer configuration settings - I was trying to
avoid this.
Thanks
Charles

 

[Anthony Yates]

Yes

 

[ptwilliams]

Am I right in saying I'll need to configure OUs to put my computer objects

in and apply a GPO that contains the computer configuration settings - I
was trying to avoid this.

Alternatively you can use security filtering to apply specific settings to
computers via group membership (computer objects being members of the
group).
-- http://www.msresource.net/content/view/15/47/



--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


We've implemeted GPOs in our environment OK - but have one fundamental
issue. Our AD design is structured by department - so we have for example an
HR OU, an IT OU, a FINANCE OU etc. These OUs contain user objects. We have
not got an OU for computers - the computer objects all reside in a default
container - i understand i can move these object to an OU. This leads on to
my question - can the computer configuration part of a gpo be applied to
user
objects ( or rather to OUs that contain user objects - I'm guessing NO -
I've
configured a gpo with computer and user settings and applied it to an OU
that
contains user objects - only the user configuration gets applied. Am I right
in saying I'll need to configure OUs to put my computer objects in and apply
a GPO that contains the computer configuration settings - I was trying to
avoid this.
Thanks
Charles

 

[Herb Martin]

We've implemeted GPOs in our environment OK - but have one fundamental
issue. Our AD design is structured by department - so we have for example an
HR OU, an IT OU, a FINANCE OU etc. These OUs contain user objects. We have
not got an OU for computers - the computer objects all reside in a default
container - i understand i can move these object to an OU. This leads on to
my question - can the computer configuration part of a gpo be applied to user
objects

No. The Computer part will not affect the Users directly.
(It will apply to their computers and may change what they can
do of course.)

( or rather to OUs that contain user objects - I'm guessing NO - I've

You may be confusing LINK with APPLY. All GPOs contain both a
Computer SECTION and a User SECTION. Either can be empty, or
even disabled, or they both may contain active settings.

The Computer portion is applied only to computers and the User portion
is applied only to Users in any case.

You can put you Computers in the same OU as the Users or you can put
them in either completely separate or perhaps some child/sibling OU
from the Users.

configured a gpo with computer and user settings and applied it to an OU that
contains user objects - only the user configuration gets applied.

Only the User section applies to users and only the Computer section
applies to Computers. (Both sections always exsist, even if disabled.)

Am I right
in saying I'll need to configure OUs to put my computer objects in and apply
a GPO that contains the computer configuration settings -

Probably. If you need computer settings then you need to put the Computers
in an OU (either a new or existing OU) or you may apply those settings to
the
Domain as a whole if you don't wish to put the computers in an actual OU.

I was trying to avoid this.

Why?

There is probably no reason for avoiding this step. It is usually
the "right thing" to do, in fact.

The SAME GPO can have settings for both Users and Computers and
each section will affect only that type of objects. People do this every
day.

It is the way it was designed to work.

 

[Guest]

Paul - Antony - Herb,
many thanks for your replies. As expected i need to create an OU - put
computer objects in it and apply a GPO with the computer settings ( I'll
disable User Configuration ) In our environment this adds administrative
overhead. We've all our PCs named by their serial number - and our AD is set
up by department - so what if i wanted to have certain gpo settings applied
to HR department PCs and different settings to FINANCE department PCs - I
know how to do this - but it involves identifying which PCs are in which
department - I could start a PC naming convention - so its all do able - it
just involves more work.
Thanks again for your replies.

 

[Anthony Yates]

This is a generic dilemma. To apply policies selectively you need to group
the PC's (or users) either in OUs or in security groups. If your naming
convention does not correspond to the groupings you will always have to find
some way to get them in the right OU or group. We use the description field
of the computer object to describe where it is. They don't move around that
often. We also have very few computer settings that need to vary by
department. It is mainly the user settings that vary, and the users are
organised that way already.
Anthony

 

[Herb Martin]

Paul - Antony - Herb,
many thanks for your replies. As expected i need to create an OU - put
computer objects in it and apply a GPO with the computer settings ( I'll
disable User Configuration )

There are two (major) cases where you should disable either Computer
or User settings in an OU:

1) No settings made in that portion
2) To avoid settings (troubleshooting, re-used GPO from another
location,...)

The reason for #1 is that this improves performance by avoiding
the download of policies that will have no effect anyway.

In our environment this adds administrative
overhead. We've all our PCs named by their serial number

UGH!!!

That's what comments and such are far. Why didn't you use

- and our AD is set
up by department - so what if i wanted to have certain gpo settings applied
to HR department PCs and different settings to FINANCE department PCs - I
know how to do this - but it involves identifying which PCs are in which
department -

Well, sure it does. You just put all the Finance PCs in the Finance
department OU.

In case you haven't guessed, if you cannot tell the difference
between a Finance PC and an HR PC then neither can AD and
the GPO.

I could start a PC naming convention - so its all do able - it
just involves more work.

You don't need a naming convention, just place the PCs in the
correct OU.

It's simple because that was the way it was designed.