Group Policy Clarification

G

Graham Prentice

I'm looking for some insight on why things may be happening.

Setup new OU. Moved terminal server computer object to this OU. Created
GP, checked loopback processing. GP properties -- security added user group
and assigned Allow -- Apply Group Policy.

1. What is the difference between adding a user group and checking Apply
Group Policy vs. moving the user object under the OU? Is this the same
thing? If a computer object is under the OU, do you need to still go into
the GP properties -- security and add Allow -- Apply Group policy to the
computer object?

2. We want the GP to only affect users who are logged into the TermServ.
The TS is the only computer object under the OU with the GP. Within the GP,
there is a user config section and a computer config section. With the
'User Group Policy loopback processing mode' (replace) enabled, do you still
have to add the user group to the security -- allow -- apply group policy?
Or does the computer object within the GP OU take control of which policies
are applied to any user who logs in? Do both the User Config and Computer
Config sections apply to this loopback policy?

3. A users computer is affected by an old GP which denys access to his
a,b,c drives. Just by taking this user out of the old GP association, will
his ability to use a,b,c drives come back by itself? Or do you have to
reset the local policy on the computer?

TIA,
Graham
 
B

Brian Desmond [MVP]

Hi Graham,

Find my answers inline

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
Setup new OU. Moved terminal server computer object to this OU. Created
GP, checked loopback processing. GP properties -- security added user group
and assigned Allow -- Apply Group Policy.

1. What is the difference between adding a user group and checking Apply
Group Policy vs. moving the user object under the OU? Is this the same
thing? If a computer object is under the OU, do you need to still go into
the GP properties -- security and add Allow -- Apply Group policy to the
computer object?

A GPO will only apply to objects beneath it on the OU. You would use the
security permissions on a GPO to further filter what objects below it can
apply the settings. By default, GPOs have Authenticated Users settings,
which encompasses all users and computers, and will allow the GPO to be
applied by any user/computer in an OU it's linked to (or below). So, you
don't still need to go into the security settings on the GPO and add the
machine to the list.
2. We want the GP to only affect users who are logged into the TermServ.
The TS is the only computer object under the OU with the GP. Within the GP,
there is a user config section and a computer config section. With the
'User Group Policy loopback processing mode' (replace) enabled, do you still
have to add the user group to the security -- allow -- apply group policy?
Or does the computer object within the GP OU take control of which policies
are applied to any user who logs in? Do both the User Config and Computer
Config sections apply to this loopback policy?

The GPO will only affect users who log onto the TS in the OU if loopback
processing is enabled. You do not need to add the user to the security tab
explicitly. The authenticated users DACL is a superset of all the users and
computers. Both User and COmputer config settings apply when loopback
procesisng is enabled.
3. A users computer is affected by an old GP which denys access to his
a,b,c drives. Just by taking this user out of the old GP association, will
his ability to use a,b,c drives come back by itself? Or do you have to
reset the local policy on the computer?

In replace mode, the GPO linked to the user's account OU will be overriden,
so the setting to hide these drives will return.
 
G

Graham Prentice

Thanks for spending the time Brian. We have another OU with several GPOs
and 'authenticated users' was removed so we could specify groups of users
for each GPO.
You helped clarify things.
Thanks again,
Graham
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top