How GPOs are applied.....

  • Thread starter Thread starter stevta [MSFT]
  • Start date Start date
S

stevta [MSFT]

Authenticated users does include machine accounts.
If the group policy is applied to users and computers. The
computer policy setting is applied first and then user
settings.
Steve
 
In which case how do the computer configuration settings
apply?

If there are no computer accounts in Authenticated Users
group how does the GPO know which computers to apply the
computer config settings to?

Does a GPO simply impose its settings on all computers in
the OU regardless of wether the GPO's scope is set to
apply to only a subgroup of the computer in the OU.
 
Computer configuration settings apply under the security context of the
machine account (e.g. DOMAIN\workstation$) where they are applied.
User configuration settings apply under the security context of the user
logging on into the system

Authenticated Users built-in principal always includes any security
principal which is authenticated, being it either user or computer account.

Computers and Users will *receive* the settings based on the GPO scope (ie
where it was applied, domain, site ou etc). Then, a security filtering will
be used to evaluate if they have permission to *apply* the settings. And if
they have permission, they will apply them as described above.
 
-----Original Message-----
In which case how do the computer configuration settings
apply?

If there are no computer accounts in Authenticated Users
group how does the GPO know which computers to apply the
computer config settings to?

Does a GPO simply impose its settings on all computers in
the OU regardless of wether the GPO's scope is set to
apply to only a subgroup of the computer in the OU.



.
John,

Also, remember that a Policy is comprised of two parts:
the user configuration and the computer configuration (
well, for purposes of this example ). You can disable
one "side" ( let's just pick the computer configuration
for this example ) and the other "side" will run.

Take Office XP, for example. I generally install Office
XP via GPO to the User Configuration. That way, no matter
where that user goes, he/she gets the same Office XP apps
( I generally make use of .mst files to differentiate who
gets what ). I could, for example, diable the Computer
Configuration side of this Policy and all would be
wonderful. The policy might just run a smidgen faster as
the CPU ticks that would normally be used for the computer
configuration would not run...Obviously, if I applied this
Policy to the computer configuartion side of things and
then disabled the computer configuation side the policy
would not work...

If you have both user accounts and computer account in the
OU to which the policy is linked A N D you do not filter
that policy by using Security Groups then ALL accounts in
that OU will be affected. If you have 20 user accounts
and 20 computer accounts in an OU and a Policy is linked
to that OU all 40 accounts ( 20 users + 20 computers )
will be affected. If, however, you wanted only a very
specific 12 users and eight computers to be affected by
this particular Policy then you would need to create a
Security Group, place those specific 12 user and eight
computer accounts in that Security Group,
remove "Authenticated Users" from that Policy and add that
specific Security Group ( and give it both read and apply
policy permissions ).

HTH,

Cary
 
Cheers for all this, I'm a bit clearer. I'm off into the
lab to test all this out.

Cheers
john
 
All makes sense now, I think it was the Authenticated
Users group that confused me, as I assumed it was just
Users, but its any authenticated object so includes
computers too. An object must be in both the OU (or
child) the GPO applies to, and also in the scope with
read & apply group policy rights for the GPO to be
applied. This applies to both computer and user objects.
John
 
Back
Top