Enabling/Disabling GPO Nodes

Dracula28Dracula28 Senior MemberMember Posts: 232
On Server 2008 R2, one can disable Comupter configuration or user configuration settings by going to the details tab of the GPO.

You can choose Computer Configuration Settings disabled or User Configuration Settings Disabled, if you want, but what is the effect of setting these settings?

According to the training kit (second edition, page 290), following happens:

Computer Configuration Settings Disabled - During computer policy refresh, computer configuration settings in the GPO will not be applied. The GPO will not be processed during user policy refresh.

User Configurations Settings Disabled - During user policy refresh, user configuration settings in the GPO will no be applied. The GPO will not be processed during computer policy refresh.

But does not that just mean the GPO is not applied, no matter which setting you set? If disable computer config settings is set, then the computer related settings will not be apllied. Which is fine, but according to Microsoft the GPO will not be processed during user policy refresh, in other words the user related settings will not be applied either, thus the GPO is not applied at all? The same goes for using the other option? According to the TK there is no difference between these two settings, and the All settings disabled setting, the GPO is not applied either way.

Is the training kit wrong, or am I missing something?
Current certs: MCP (210) MCSA (270, 290, 291 and 680) MCTS (680, 640)

Comments

  • Dracula28Dracula28 Senior Member Member Posts: 232
    Here is another GPO related question, on page 293 it says that settings in the Computer config node usually override the settings in the user config node, but how can it do that, when user configuration is usually processed last? A mistake by the authors?
    Current certs: MCP (210) MCSA (270, 290, 291 and 680) MCTS (680, 640)
  • hennrizzlerhennrizzler Subject Matter Apprentice Member Posts: 23 ■□□□□□□□□□
    I think the wording isn't very great. It probably means:

    Computer Configuration Settings Disabled - During computer policy refresh, computer configuration settings in the GPO will not be applied. The GPO (computer side settings) will not be processed during user policy refresh.

    User Configurations Settings Disabled - During user policy refresh, user configuration settings in the GPO will no be applied. The GPO (user side settings) will not be processed during computer policy refresh.

    These settings tend to be used in troubleshooting scenarios when you have a monolithic GPO (all settings, both users and computer policies in one GPO) and are trying to find out why your policies are behaving in a certain way. Try the settings in a lab - it's the best way to see.

    Regarding processing order, I'm assuming you are talking about the computer loopback processing policy? It could be that you want certain policies to apply back again after the user pass such as when using conference room computers etc. I'd look up more on policy loopback processing to learn more about when it's used.

    Check out devilbane's post:

    http://www.techexams.net/forums/server-70-290/25141-gpo-loopback-mode.html

    Royal also posts a good scenario:

    http://www.techexams.net/forums/ad-infra-70-294/19637-help-me-out-loopback-processing.htmlhttp://www.techexams.net/forums/ad-infra-70-294/19637-help-me-out-loopback-processing.html
  • Dracula28Dracula28 Senior Member Member Posts: 232
    I think the wording isn't very great. It probably means:

    Computer Configuration Settings Disabled - During computer policy refresh, computer configuration settings in the GPO will not be applied. The GPO (computer side settings) will not be processed during user policy refresh.

    User Configurations Settings Disabled - During user policy refresh, user configuration settings in the GPO will no be applied. The GPO (user side settings) will not be processed during computer policy refresh.

    These settings tend to be used in troubleshooting scenarios when you have a monolithic GPO (all settings, both users and computer policies in one GPO) and are trying to find out why your policies are behaving in a certain way. Try the settings in a lab - it's the best way to see.

    Isn't the default behaviour that settings in the computer configuration node is not processed during user policy refresh and vice versa? So I guess when both users and computers reside in one OU, and both user and computer settings are in the same GPO, then these settings can be applied. Otherwise they are pretty much of no use? Because what they are doing is to disable that gpo for the computer or user side settings.
    Regarding processing order, I'm assuming you are talking about the computer loopback processing policy?

    No, they don't mean loopback policy processing, because that is mentioned on page 294, while what I wrote is mentioend on page 293, thats why I find it strange that they claim computer settings override user settings, because its the later that is applied/processed last.
    Current certs: MCP (210) MCSA (270, 290, 291 and 680) MCTS (680, 640)
  • ClaymooreClaymoore Nidhoggr, the Net Serpent Member Posts: 1,637
    Dracula28 wrote: »
    Here is another GPO related question, on page 293 it says that settings in the Computer config node usually override the settings in the user config node, but how can it do that, when user configuration is usually processed last? A mistake by the authors?

    Some settings are available as both Computer and User settings. In the case where both are configured, the settings on the Computer GPO override the settings in the User GPO. Both the user and computer GPOs are processed separately, the settings are determined, and then if there are conflicts, there needs to be a simple way to determine the settings so they let the computer win.
Sign In or Register to comment.