N
Neko-
I'm currently looking into Group Policies (Windows 2003), and have
found something that (according to the training material Microsoft
provides) should be possible, but upon trying some things out in a live
environment was shown not to work.
Now maybe I'm overlooking something here, but I can't see what I'd be
missing. Maybe someone on this group can provide a bit more insight in
what is going on.
I have two OU's. One contains the computer account (Windows XP
machine), and the other contains the user account. I have created a
policy to provide a logo for the background like you would do in a
company environment. This setting I activated through the use of the
User Configuration\Administrative Templates\Desktop\Active Desktop. I
enabled the 'Active Desktop' setting here, and added the appropriate
picture to the 'Active Desktop Wallpaper' setting.
I then linked the policy to the container in which the useraccount
resided. Logged off the workstation, and logged in, which provided me
with the wallpaper as expected.
Since a company is more likely to consider adding a wallpaper to it's
computers rather then it's users, the next test was to set this same
policy to the container with the computer account. I unlinked the GPO
from the OU containing the user object, and linked it to the OU that
had the computerobject. I removed the policy on the workstation
alltogether, then replaced the background with some other picture just
to verify that the policy would change the wallpaper back.
Ran 'GPUpdate /force', restarted the PC to make sure that applying the
settings were done as would normally happen, but alas... no wallpaper
was assigned. Since the GPO was tested under the user account, the
actual properties of the GPO seem sound.
Now my theory is that any User Configuration settings will only be
applied to user accounts, and never to machine accounts. Although it
seems logical that the whole GPO should be applied if it applies to the
object. According to Microsoft it should be possible to use the logical
approach, and deduce that if a policy is applicable to an object it
will be processed as a whole, so both the Computer Configuration and
the User Configuration.
Now the rights are set to standard (meaning that only Authenticated
Users have access to the policy). This would be the only part I'd be
guessing that could hamper the policy itself. But thinking about it
logically, the computer does authenticate itself to the domain prior to
presenting a logon-screen. Would that be seen as an 'Authenticated
User', or does some group exist depicting 'Authenticated Computers'?
I've verified that (as is default) no part of the policy is set to
not-process (properties of the policy itself allows you to speed up
policy processing by disabling or enabling the Computer Configuration
node and/or the User Configuration node. Standard both are enabled). So
I'm also ruling this out as a cause.
Does anyone have more expirience with this, and is willing to share and
help me out in figuring this part out? Thanks in advance!
found something that (according to the training material Microsoft
provides) should be possible, but upon trying some things out in a live
environment was shown not to work.
Now maybe I'm overlooking something here, but I can't see what I'd be
missing. Maybe someone on this group can provide a bit more insight in
what is going on.
I have two OU's. One contains the computer account (Windows XP
machine), and the other contains the user account. I have created a
policy to provide a logo for the background like you would do in a
company environment. This setting I activated through the use of the
User Configuration\Administrative Templates\Desktop\Active Desktop. I
enabled the 'Active Desktop' setting here, and added the appropriate
picture to the 'Active Desktop Wallpaper' setting.
I then linked the policy to the container in which the useraccount
resided. Logged off the workstation, and logged in, which provided me
with the wallpaper as expected.
Since a company is more likely to consider adding a wallpaper to it's
computers rather then it's users, the next test was to set this same
policy to the container with the computer account. I unlinked the GPO
from the OU containing the user object, and linked it to the OU that
had the computerobject. I removed the policy on the workstation
alltogether, then replaced the background with some other picture just
to verify that the policy would change the wallpaper back.
Ran 'GPUpdate /force', restarted the PC to make sure that applying the
settings were done as would normally happen, but alas... no wallpaper
was assigned. Since the GPO was tested under the user account, the
actual properties of the GPO seem sound.
Now my theory is that any User Configuration settings will only be
applied to user accounts, and never to machine accounts. Although it
seems logical that the whole GPO should be applied if it applies to the
object. According to Microsoft it should be possible to use the logical
approach, and deduce that if a policy is applicable to an object it
will be processed as a whole, so both the Computer Configuration and
the User Configuration.
Now the rights are set to standard (meaning that only Authenticated
Users have access to the policy). This would be the only part I'd be
guessing that could hamper the policy itself. But thinking about it
logically, the computer does authenticate itself to the domain prior to
presenting a logon-screen. Would that be seen as an 'Authenticated
User', or does some group exist depicting 'Authenticated Computers'?
I've verified that (as is default) no part of the policy is set to
not-process (properties of the policy itself allows you to speed up
policy processing by disabling or enabling the Computer Configuration
node and/or the User Configuration node. Standard both are enabled). So
I'm also ruling this out as a cause.
Does anyone have more expirience with this, and is willing to share and
help me out in figuring this part out? Thanks in advance!
)