Well, it depends...
If you wish all your terminal servers to get the same policy, just put them
all in one OU...
Apply the policy there, and you're set.
If you have multiple different policies to apply, you may need more OU's.
Policies have a "scope" ...It's kind of like it has to be over the object,
user or computer. So, if you have a TS OU, and the users and computers
aren't nested under that same structure, you can control what policy they
get only when they TS.
John
"Rosales, Mario"
<[EMAIL PROTECTED]
com> To
Sent by: "'[EMAIL PROTECTED]'"
[EMAIL PROTECTED] <[EMAIL PROTECTED]>
ail.activedir.org cc
Subject
11/13/2004 10:24 RE: [ActiveDir] OU and Policies
AM
Please respond to
[EMAIL PROTECTED]
tivedir.org
Thank you everyone for the information.
So if loopback is the only option here. How do you handle doing loopbacks
for multiple servers? Do you create a local loopback policy on all the
computers you want affected and then Setup the Computer OU (OU2) with a gpo
with the instructions listed here ->
http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
I am assuming there is no way to do it through AD without having to touch
each citrix server, Correct?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad
Sent: Friday, November 12, 2004 10:27 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OU and Policies
SO there are a few things going on here of which you should be aware.
First, GPO's applied to users take precedence over GPO's applied to
computers. The general concept is that "closest" policy applies last. By
that I mean the default domain policy is applied first, then walking down
the OU hierarchy, and at the same level the computer policies get applied
before the user policies.
Second, block inheritance only blocks it for the objects within the OU (and
the child Ous). So, you're only blocking inheritance to objects which exist
in OU2. Since that's the computer only, and the computer settings get
applied before the user settings, its working exactly as it should.
Finally, you mentioned Citrix. I'm guessing what you're really trying to
accomplish is controlling users' rights when logged into a specific set of
machines only. What you want is called Loopback processing. It's one of the
other options for GPO's, and basically it will force the computer policy to
override the users' policies. Its not quite that simple, and it does have
some drawbacks from what I remember. But that's what you're looking to do.
--------
Roger Seielstad
E-mail Geek & MS-MVP
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Rosales, Mario
> Sent: Friday, November 12, 2004 6:33 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] OU and Policies
>
> So are you saying that cannot be done? Then how do you
> handle citrix servers?
>
> For example users logging into their computer should have the
> settings from both policies but if they log into a Terminal
> type server, how do you override that setting? Create an
> entire new User Policy?
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Friday, November 12, 2004 8:25 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OU and Policies
>
> Wow. Can you reword that? I think your saying that you have
> a user in one OU, and a computer account in another with the
> policy blocked. You want to know why user policy is being
> applied to a user using a computer that is in an OU with
> blocked policy (now you have me doing it :), right?
>
> Al
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Rosales, Mario
> Sent: Friday, November 12, 2004 9:06 AM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] OU and Policies
>
> Ok have a question hopefully some of you out there could help me out.
>
> We have
>
> MAINOU->OU1
> MAINOU->OU2 <-Block Policy Inheritance
>
> MAINOUT-> USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY
> MAINOUT-> (Other Policy Settings) Enforced
>
> user1 in OU1
> Computer1 in ou2
>
> When user1 logs in - the settings of User Policy still apply.
>
> Am I doing something wrong?
>
> Hope that makes sense
>
> Thanks,
> Mario
>
>
> **************************************************************
> *************
> The contents of this communication are intended only for the
> addressee and may contain confidential and/or privileged
> material. If you are not the intended recipient, please do
> not read, copy, use or disclose this communication and notify
> the sender. Opinions, conclusions and other information in
> this communication that do not relate to the official
> business of my company shall be understood as neither given
> nor endorsed by it.
> **************************************************************
> *************
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> **************************************************************
> *************
> The contents of this communication are intended only for the
> addressee and may contain confidential and/or privileged
> material. If you are not the intended recipient, please do
> not read, copy, use or disclose this communication and notify
> the sender. Opinions, conclusions and other information in
> this communication that do not relate to the official
> business of my company shall be understood as neither given
> nor endorsed by it.
> **************************************************************
> *************
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
***************************************************************************
The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender. Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.
***************************************************************************
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
