basic Group policy questions

Mike · Oct 5, 2004

Hello,

I have been messing around with group policy a little, and have a few basic
questions.

First, I have created a new OU wiht an attached GP. Do I need the users to
be in this container to apply the group policy to them, or can I just have a
security/distribution group in the OU with members from the Users OU.

Second, If I assign a user to an OU will only the user config apply from the
GP, or will the computer config apply to whatever computer the user is
logged onto also. I am having trouble applying the computer config unless I
add the computer object into the OU.

Mike

Roger Abell · Oct 5, 2004

A GPO consists of a Computer portion and a User portion,
each with many policies.
A GPO linked to an OU will apply User settings to User
account objects in that OU, and will apply Computer settings
to computer objects in that OU.
Placing a security group into the OU has no effect on the
procession of GPO.
The above application of computer and user settings can be
modified by the use of loopback processing so that the
computer portion may be applied when triggered by a user
object being subjected to the GPO.
Also, the above computer and user settings application can
be restricted to only some of the computer or the user objects
in the OU by use of a security group to filter to what objects
the GPO is applied, but in this case those objects still need
to be placed within the scope of the GPO's management.

Mike · Oct 5, 2004

Thank you for the response.

You mentioned that placing a security group into the OU has no effect on the
procession of GPO. What about distribution groups? Can I assign
users/computers to a distribution group that is in the OU even if the actual
user object is not in the OU? Also, where is the loopback processing policy
located? Does loopback processing allow a computer to trigger the user
config also?

Mike

Roger Abell · Oct 6, 2004

The only role of groups for triggering GPO application
is security group filtering, which is the use of the group
to grant read and apply permissions to the GPO.
A group in an OU never has any meaning relative to
application of GPO.
I was imprecise in the mention of loopback processing.
In a GPO's computer section, under Group Policy (dig in)
you will find policy to enable loopback processing. When
enabled, and GPO is linked to OU containing the computer
object (so computer section is applied), then if the user
that is logging in is a member of a group granted read and
apply (or is granted directly) then the User section will be
processed even though the user object is not within the OU.

Mike · Oct 6, 2004

Thank you, you have been a great help.

Mike

Roger Abell said:
The only role of groups for triggering GPO application
is security group filtering, which is the use of the group
to grant read and apply permissions to the GPO.
A group in an OU never has any meaning relative to
application of GPO.
I was imprecise in the mention of loopback processing.
In a GPO's computer section, under Group Policy (dig in)
you will find policy to enable loopback processing. When
enabled, and GPO is linked to OU containing the computer
object (so computer section is applied), then if the user
that is logging in is a member of a group granted read and
apply (or is granted directly) then the User section will be
processed even though the user object is not within the OU.