user settings not applied to computers in ou?

[frank]

I applied a group policy containing user restrictions to an ou containing
both users and computers. The user restrictions are applied to the ou user
accounts correctly, following the users to whichever machine they logon to.
However, when a user whos account is NOT in this ou logs on to a computer
which IS in the ou, the user restrictions are NOT taking effect. This is my
problem - I want the user restrictions to apply to whoever logs on to the
machines in that ou. What is the proper method for making this happen? I
thought putting machines into the ou would make the user restrictions apply
to them regardless of who logged on but that is not happening.

-frank brown
seattle fire dept
http://www.inwa.net/~frog

 

[Colin Torretta [MSFT]]

You should be able to use loopback to apply the user settings to the
computer itself. That would probably be the best way.
-Colin Torretta [MSFT]

 

[Mark Renoden [MSFT]]

Hi Frank

The user configuration portion of a GPO only applies to users who are in the
OU heirarchy to which the GPO is linked. Similarly, the computer
configuration portion of a GPO only applies to computers who are in the OU
heirarchy to which the GPO is linked.

You can change this behaviour by using policy loopback (as suggested by
Colin). Policy loopback works as follows:

1. When the computer boots, the list of GPO's for the computer is gathered
based on it's location in the Active Directory. This is it's SOM or Scope
of Management. The list includes GPO's linked to OU's at each level in the
heirarchy from the OU in which the computer resides all the way up to the
domain.

2. The computer configuration settings from this list are applied to the
computer provided it has permissions to the GPO's.

3. When the user logs in, different behaviour occurs according to the policy
loopback settings:

A. Loopback off - the SOM for the user is calculated and then user
configuration settings applied according to user permissions. The location
of the user account in the AD decides entirely which user configuration
settings are applied.

B. Loopback merge mode - the SOM for the user is calculated as in A. The
user configuration settings from this SOM are applied but at a lower
precedence to the user configuration settings in the computer SOM. Once
again, user permissions allow or prevent application of these setting
regardless of whether they came from the user or computer SOM.

C. Loopback replace mode - the SOM for the user is not considered. The user
configuration settings are applied from the GPO's in the computer SOM
provided they have user permissions.

Depending on the structure of your Active Directory, the use of loopback in
this situation may not be the best solution. You'd typically use loopback
for a Terminal Server. You may also want to consider implementing the user
settings required in a GPO linked higher in the heirarchy. For example:

OU with GPO for user settings
|_ OU with users not in the same OU as the computers
|_ OU with users and computers as you've described. GPO with only
computer settings.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[frank]

Thanks Colin and Mark. I will test loopback mode and implement it if it
works as advertised, and doesn't impose too much additional processing via
longer logins.

-frank