No, you can have layers of user policies, and OU's, and change settings "later", filter by groups etc.
The problem with this approach is, once you set a setting, there's no way to get them back to not configured. If you enable something, later on you have to disable it. This is not desireable in some cases as it's not very user friendly. There is no way for a user to change a setting when enforced either way by policy. John "Rosales, Mario" <[EMAIL PROTECTED] com> To Sent by: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] <[EMAIL PROTECTED]> ail.activedir.org cc Subject 11/12/2004 10:37 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org So no matter what you do if you want to override user settings you have to use loopback policies? Sorry if I repeat myself I just want to make sure I understand this properly. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Friday, November 12, 2004 9:46 AM To: ActiveDir List Subject: Re: [ActiveDir] OU and Policies OK, this is getting a bit convoluted, so let me see if I get what you are asking: If you have: OU1, with User_GPO1 linked, containing a user object User1 And OU2, with Inheritance Blocking, with PC_GPO linked, and containing computer object PC1 These are not nested (meaning, OU1 and OU2 are peers in your structure) User1 logs on to PC1. Would creating and linking a new policy at OU2 (let's call it User_GPO2) allow you to offset the user settings you are getting from User_GPO1 when User1 logs into PC1. The answer is no. User policies apply from the GPO structure to which the user belongs, not the PC. Having said that, the loopback suggestion does get you around this. Without loopback, the User in OU1 is still going to get his GPOs applied (well, the User portion of them, anyhow). On 11/12/04 9:52 AM, "Rosales, Mario" <[EMAIL PROTECTED]> wrote: > I was expecting that but I guess it did not work that way. What if I > just add another user policy under that OU with those setting set to > something different? That will override correct? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Friday, November 12, 2004 8:33 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OU and Policies > > Ok. Did you not expect the user policy to still apply? The user is > not in OU2. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, > Mario > Sent: Friday, November 12, 2004 9:26 AM > To: Rosales, Mario; '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OU and Policies > > > This is the correction > > > MAINOU->OU1 > MAINOU->OU2 <-Block Policy Inheritance) > > MAINOUT-> USER POLICY (Lock Down ScreenSaver Settin COMPUTER > MAINOUT-> POLICY(Other Policy Settings) Enforced > > user1 in OU1 > Computer1 in ou2 > > When user1 logs in - the settings of User Policy still apply. > > > -----Original Message----- > From: Rosales, Mario > Sent: Friday, November 12, 2004 8:25 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OU and Policies > > Correction > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, > Mario > Sent: Friday, November 12, 2004 8:06 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] OU and Policies > > Ok have a question hopefully some of you out there could help me out. > > We have > > MAINOU->OU1 > MAINOU->OU2 <-Block Policy Inheritance) > > MAINOUT-> USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY > MAINOUT-> (Other Policy Settings) Enforced > > user1 in OU1 > Computer1 in ou2 > > When user1 logs in - the settings of User Policy still apply. > > Am I doing something wrong? > > Hope that makes sense > > Thanks, > Mario > > > ********************************************************************** > ***** The contents of this communication are intended only for the > addressee and may contain confidential and/or privileged material. If > you are not the intended recipient, please do not read, copy, use or > disclose this communication and notify the sender. Opinions, > conclusions and other information in this communication that do not > relate to the official business of my company shall be understood as > neither given nor endorsed by it. > ********************************************************************** > ***** > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > ********************************************************************** > ***** The contents of this communication are intended only for the > addressee and may contain confidential and/or privileged material. If > you are not the intended recipient, please do not read, copy, use or > disclose this communication and notify the sender. Opinions, > conclusions and other information in this communication that do not > relate to the official business of my company shall be understood as > neither given nor endorsed by it. > ********************************************************************** > ***** > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > ********************************************************************** > ***** The contents of this communication are intended only for the > addressee and may contain confidential and/or privileged material. If > you are not the intended recipient, please do not read, copy, use or > disclose this communication and notify the sender. Opinions, > conclusions and other information in this communication that do not > relate to the official business of my company shall be understood as > neither given nor endorsed by it. > ********************************************************************** > ***** > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *************************************************************************** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *************************************************************************** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/