Policy Applied per user or per computer ? Differences

NullCodeNullCode Posts: 73Member ■■□□□□□□□□
Hi Guys,

What is the main difference between adding a policy for an user, or for a computer?

Let's say we want to automaticly logon the users to the wireless, what should we do ?
Should we apply the policy per user/per computer/both ?

What is the main difference?
I am new at this.

Thank you!

Comments

  • MentholMooseMentholMoose Senior Member Posts: 1,550Member ■■■■■■■■□□
    GPOs can contain user-specific settings and/or computer-specific settings. For user settings, you typically apply GPOs with user settings to OUs containing the users you want the settings to apply to. It's possible to use Loopback processing of Group Policy to have a GPO with user settings applied to an OU with computers and still have the user settings apply to the users logging into those computers. Without loopback processing, the user settings would not take effect. You'd usually do this if you have an OU with computers and you want some user settings to apply to users logging into them, but those users are in a variety of OUs. This feature mainly just provides flexibility, and what you do will depend on your OU layout and other considerations.

    Loopback processing might be useful for you, depending on the OU layout. For example, your users might be in a variety of OUs (like in OUs for each department), and you might have an OU with the laptops you want to apply wireless settings. In this case you can just apply a GPO to the laptops OU, enable loopback processing, and everyone who logs into a laptop will get those settings. The alternative would be applying the wireless GPO to all users, which might not be what you want.
    MentholMoose
    LFCE - MCITP: EDA7, VA, SA, EA - MCSA:S 2003 - CCA (PVS 5, XD 3 / 4 / 5, XS 5 / 6) - VCP 4 / 5
  • NullCodeNullCode Posts: 73Member ■■□□□□□□□□
    GPOs can contain user-specific settings and/or computer-specific settings. For user settings, you typically apply GPOs with user settings to OUs containing the users you want the settings to apply to. It's possible to use Loopback processing of Group Policy to have a GPO with user settings applied to an OU with computers and still have the user settings apply to the users logging into those computers. Without loopback processing, the user settings would not take effect. You'd usually do this if you have an OU with computers and you want some user settings to apply to users logging into them, but those users are in a variety of OUs. This feature mainly just provides flexibility, and what you do will depend on your OU layout and other considerations.

    Loopback processing might be useful for you, depending on the OU layout. For example, your users might be in a variety of OUs (like in OUs for each department), and you might have an OU with the laptops you want to apply wireless settings. In this case you can just apply a GPO to the laptops OU, enable loopback processing, and everyone who logs into a laptop will get those settings. The alternative would be applying the wireless GPO to all users, which might not be what you want.

    Thank you MentholMoose, you really helped me.
  • ltgenspecificltgenspecific Posts: 96Member ■■□□□□□□□□
    Menthol, I hope you're a highly compensated Admin bc that read like a text book. icon_wink.gif

    EDIT: Or I could just read your sig. LoL. Carry on.
  • DevilsbaneDevilsbane Posts: 4,212Member ■■■■■■■■□□
    If you are using local policy, nothing.

    If you are using Active Directory and linking to an OU than it means everything. If you link a policy to an OU full of user accounts but only configure computer settings, nothing is going to happen. Vice versa, if you link a policy with only user policies to an OU full of users, then still nothing is going to happen.

    Then of course there is loopback processing like Menthol said that can be useful from time to time. Also don't forget that if a user setting and a computer setting conflict, the computer setting wins.

    For example, say that you have configured the user to allow changing the desktop but restrict the computer, even though the user can change his desktop on every other computer, he won't be able to on that one.
    Decide what to be and go be it.
  • MentholMooseMentholMoose Senior Member Posts: 1,550Member ■■■■■■■■□□
    Devilsbane wrote: »
    Also don't forget that if a user setting and a computer setting conflict, the computer setting wins.

    For example, say that you have configured the user to allow changing the desktop but restrict the computer, even though the user can change his desktop on every other computer, he won't be able to on that one.
    Good point, just one nitpick, though: I don't think your example is valid. Not all user policies have equivalent computer policies, and I don't think there is a computer policy for desktop wallpaper. In the case that want to enforce wallpaper on some computers, you could create a GPO with the wallpaper user policy configured along with loopback processing, and apply it to the OU/Site/Domain containing those computers. :)
    MentholMoose
    LFCE - MCITP: EDA7, VA, SA, EA - MCSA:S 2003 - CCA (PVS 5, XD 3 / 4 / 5, XS 5 / 6) - VCP 4 / 5
  • DevilsbaneDevilsbane Posts: 4,212Member ■■■■■■■■□□
    Good point, just one nitpick, though: I don't think your example is valid. Not all user policies have equivalent computer policies, and I don't think there is a computer policy for desktop wallpaper. In the case that want to enforce wallpaper on some computers, you could create a GPO with the wallpaper user policy configured along with loopback processing, and apply it to the OU/Site/Domain containing those computers. :)

    I didn't say it was a good example, just something that came to mind. And you are right, control panel is only a user setting.
    Decide what to be and go be it.
  • MentholMooseMentholMoose Senior Member Posts: 1,550Member ■■■■■■■■□□
    Devilsbane wrote: »
    I didn't say it was a good example, just something that came to mind. And you are right, control panel is only a user setting.
    Yeah I know, I didn't mean to call you out on it, I just wanted to point out that not all policies exist for both user and computers.
    MentholMoose
    LFCE - MCITP: EDA7, VA, SA, EA - MCSA:S 2003 - CCA (PVS 5, XD 3 / 4 / 5, XS 5 / 6) - VCP 4 / 5
Sign In or Register to comment.