cashew wrote: Thats' what I thought, but what about this. Correct me if I'm wrong, but lets say a PC is in an OU and a user is in a different OU. There is a GPO linked to the PC OU that has user settings defined.
cashew wrote: Then back to the first question, where if the settings on both OU's don't conflict, they will be both applied?
cashew wrote: What if loopback processing is enabled for an OU that has only computers in it. On that computers OU there are user settings defined. When a user logs on to the computer, the user settings from the computers OU are applied to the user, and the action is dependant on merge or replace mode? Merging af the settings don't conflict and replacing if they do?
"Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user. -- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
sprkymrk wrote: Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last.
cashew wrote: sprkymrk wrote: Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last. I created an OU and added a user account and computer account. I set the computer policy to disallow messenger to enable and set the user to disallow messenger to disable. When I refreshed I was unable to run messenger? I thought that the user settings would override since loopback wasn't enabled?
Note: This setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configuration version of this setting takes precedence.
In most cases policy settings specified in the Computer Configuration node have precedence over the same setting if one exists in the User Configuration node.
royal wrote: I always thought that user configuration wins unless it either states that the computer setting will take precedence or in cases such as loopback. After seeing the following comment, I'm not so sure about that: From: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsec_pol_blsa.mspx?mfr=true In most cases policy settings specified in the Computer Configuration node have precedence over the same setting if one exists in the User Configuration node.
mr2nut wrote: What is the difference between block inheritence and no override by the way? They sound like they do very similar things.
mr2nut wrote: Also, do GPOs work in alphabetical order? If not, how do they determine which applies first?
dynamik wrote: If one has multiple GPOs, you can move them up or down in the list to set the order in which they are applied.
dynamik wrote: mr2nut wrote: What is the difference between block inheritence and no override by the way? They sound like they do very similar things. They do opposite things. You can think of "no override" as "force inheritance." Suppose you delegate control over an OU to someone, but you do not want them to override a setting you set at the domain level. mr2nut wrote: Also, do GPOs work in alphabetical order? If not, how do they determine which applies first? They are applied in this order: Local > Domain > Site > OU If one has multiple GPOs, you can move them up or down in the list to set the order in which they are applied.
mr2nut wrote: Cheers. I understand the order in the respect of local>domain>site>ou. But lets say you have three OUs for clients, fileservers and servers. Clients appears in the list before fileserver, so does the servers OU inherit the default domain policy, then settings from clients, then fileservers, or do OUs completely ignore other policies and only GPOs applied directly into the OU?
wrote: Local > Domain > Site > OU
dynamik wrote: » +1 Don't listen to that other guy
royal wrote: » And the one at top of the list wins. This is important if you're doing something like WMI filtering with 2000 machines. Since 2000 machines don't apply WMI filtering, you can trick it by placing the Windows 2000 GPO on top and the XP GPO 2nd in the list. You then apply a GPO filter so that the top GPO only applies to Windows 2000. Since XP will see this WMI filter, it'll skip the top one and apply the second one. Since 2000 can't see the WMI filter, it'll automatically just apply the first one. So the processing in the actual list is important.
undomiel wrote: » True. You would want to reverse the order so that on the 2000 machine the XP GPO is overwritten by the 2000 GPO.
undomiel wrote: » Well I will admit this was working off the assumption that they are modifying the same setting, in which case the last applied GPO (2000) is what takes precedence e.g. "overwrites". Precedence is probably a better word for it, I just always use overwrites in my head.
