Group Policy Query

pjrousepjrouse Member Posts: 40 ■■□□□□□□□□
Hi Folks - below is a question i posted relating to the Server 2003 exam (70-290) but as it's just a generic GP query I'm sure some of the people in here might be able to answer it - thanks!

I've just started on my studies of server 2003 and am using Mike Meyers certification passport as my main study text. I'm currently reading up on Group Policy and something isnt quite clear in the book. I was wondering if anywhere here might clarify?

The query is around permissions on group policy - The paragraphs below are copied verbatim from the book with my queries in between

"Setting Permissions: Another change you might need to make is to modify which people are affected by the policy. While you can try top organize things so all computers in an OU are perfectly matched to their group policy, you might need to exempt some accounts from certain policies."

I presume he means computer (rather than user accounts?)

"In such a case you might need to change the permissions on the group policy object itself. To do this go to the properties of the OU in which the policy was created and click the properties button. A standard windows 2000/2003 User permissions windows is on the security tab. Select a computer (or add one if none is currently present) and in the lower window, look for the apply group policy permission."

This seems to make sense then........

There is then an Exam Tip box with the following information

"Users who have this permission (allow is checked) are subject to the policy. Those who dont (unchecked) have it wont receive the settings in the policy. Those with a Deny are prohibited from applying the policy, even if another group they are in would otherwise give them permission. Microsoft refer to this as filtering the policy"

My confusion arises from the fact that the paragraph prior to this one seems to refer to computer accounts only, yet the exam tip box is clearly referring to user accounts only?

So does group policy apply to users, computers or both in this case?

The final paragraph is as follows:

"Besides the apply permission, users must also have the read permission to access the information in the policy. This makes sense because you cant use information you cant see"

Having not configured GP before (can you tell? ) am i right in thinking that each policy object has it's own permissions tab, which is where you would configure this?

Thanks for reading this far guys and thanks for any help!

Paul
VCP5-DCV
MCSE Server 2012
MCITP: Enterprise Administrator - Server 2008
Network+

Comments

  • PavlovPavlov Member Posts: 264
    Administrators can configure specific desktop environments and enforce policy settings on groups of computers and users on the network as follows:

    Computer Configuration. Computer-related policies specify operating system behavior, desktop behavior, application settings, security settings, assigned applications options, and computer startup and shutdown scripts. Computer-related policy settings are applied when the machine is rebooted and during a periodic refresh of Group Policy.

    User Configuration. User-related policies specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related policy settings are applied when users log on to the computer and during the periodic refresh of Group Policy.


    Group Policy is applied in an inherited and cumulative fashion and affects all computers and users in an Active Directory container. Policy is applied when the computer starts up and when the user logs on. When a user turns on the computer, the system applies computer policy. When a user logs on interactively, the system loads the user's profile, then applies user policy. Policy is reapplied on a periodic basis, which an administrator can set by using the Group Policy Object Editor, and can also reapplied on demand.

    When applying policy, the system queries the directory service for a list of GPOs to process. If a computer or user access has been denied access to a GPO, the system does not apply the specified policy settings. If access is permitted, the system applies the policy settings specified by the GPO.


    Hopefully this helped you get a better understanding of Group Policy in general.
    Pavlov
    A+, Net+, i-Net+, CIW-A
    MCP NT4, MCSA 2K, MCSE 2K
Sign In or Register to comment.