GPO Policy won't apply.

[Yay Deutschland!]

I setup a GPO policy to display a logon banner on all of the client
computers under active directory under "Computer Configuration". The policy
was created on the Domain User's OU (the container where all my users are).
Right now I setup the securty settings on domain users to "Apply Group
Policy" at the check box. Am I doing something wrong? Do I need another
group to "Apply Group Policy" since this is a Computer Configuration and not
a user configuration?

TIA

 

[Mike Aubert]

Group Policy settings can be under one of two categories:

- Computer Configuration

- User Configuration


The Computer Configuration portion of a Group Policy Object will apply to
any computer accounts in that OU (or Site/Domain).



The User Configuration portion of a Group Policy Object will apply to any
user accounts in that OU (or Site/Domain).



There is no correlation between Computer Configuration and user accounts or
User Configuration and computer accounts (with the exception of loop back
processing, but that's another topic).



You actually have to trace two paths to get all the Group Policy settings -
one for the computer account and one for the user account.


EX:



Say there was a domain called corp.com with an OU called Corp Users and Corp
Workstations. All user accounts are in the Corp Users OU and all the
computer accounts are in the Corp Workstations OU. Now excluding any
local/site policies or loop back processing, here is where the Group Policy
information would come from.



Computer Configuration: corp.com > Corp Workstations OU



User Configuration: corp.com > Corp Users OU



None of the Computer Configuration settings in a GPO tied to the Corp Users
OU will apply, nor will any User Configuration settings in a GPO tied to the
Corp Workstations OU will apply.



Because the setting in group policy you are using is under Computer
Configuration > Windows Settings > Security Settings...you need to be
concerned where the Computer Accounts are in your OU structure, not the user
accounts. You need to make sure the policy applies to the computer
accounts, not the user accounts

 

[Yay Deutschland!]

Excellent =)

Thanks!

Group Policy settings can be under one of two categories:

- Computer Configuration

- User Configuration


The Computer Configuration portion of a Group Policy Object will apply to
any computer accounts in that OU (or Site/Domain).



The User Configuration portion of a Group Policy Object will apply to any
user accounts in that OU (or Site/Domain).



There is no correlation between Computer Configuration and user accounts
or User Configuration and computer accounts (with the exception of loop
back processing, but that's another topic).



You actually have to trace two paths to get all the Group Policy
settings - one for the computer account and one for the user account.


EX:



Say there was a domain called corp.com with an OU called Corp Users and
Corp Workstations. All user accounts are in the Corp Users OU and all the
computer accounts are in the Corp Workstations OU. Now excluding any
local/site policies or loop back processing, here is where the Group
Policy information would come from.



Computer Configuration: corp.com > Corp Workstations OU



User Configuration: corp.com > Corp Users OU



None of the Computer Configuration settings in a GPO tied to the Corp
Users OU will apply, nor will any User Configuration settings in a GPO
tied to the Corp Workstations OU will apply.



Because the setting in group policy you are using is under Computer
Configuration > Windows Settings > Security Settings...you need to be
concerned where the Computer Accounts are in your OU structure, not the
user accounts. You need to make sure the policy applies to the computer
accounts, not the user accounts



------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA

www.2000trainers.com