Well, it depends... If you wish all your terminal servers to get the same policy, just put them all in one OU...
Apply the policy there, and you're set. If you have multiple different policies to apply, you may need more OU's. Policies have a "scope" ...It's kind of like it has to be over the object, user or computer. So, if you have a TS OU, and the users and computers aren't nested under that same structure, you can control what policy they get only when they TS. John "Rosales, Mario" <[EMAIL PROTECTED] com> To Sent by: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] <[EMAIL PROTECTED]> ail.activedir.org cc Subject 11/13/2004 10:24 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org Thank you everyone for the information. So if loopback is the only option here. How do you handle doing loopbacks for multiple servers? Do you create a local loopback policy on all the computers you want affected and then Setup the Computer OU (OU2) with a gpo with the instructions listed here -> http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 I am assuming there is no way to do it through AD without having to touch each citrix server, Correct? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Friday, November 12, 2004 10:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies SO there are a few things going on here of which you should be aware. First, GPO's applied to users take precedence over GPO's applied to computers. The general concept is that "closest" policy applies last. By that I mean the default domain policy is applied first, then walking down the OU hierarchy, and at the same level the computer policies get applied before the user policies. Second, block inheritance only blocks it for the objects within the OU (and the child Ous). So, you're only blocking inheritance to objects which exist in OU2. Since that's the computer only, and the computer settings get applied before the user settings, its working exactly as it should. Finally, you mentioned Citrix. I'm guessing what you're really trying to accomplish is controlling users' rights when logged into a specific set of machines only. What you want is called Loopback processing. It's one of the other options for GPO's, and basically it will force the computer policy to override the users' policies. Its not quite that simple, and it does have some drawbacks from what I remember. But that's what you're looking to do. -------- Roger Seielstad E-mail Geek & MS-MVP > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rosales, Mario > Sent: Friday, November 12, 2004 6:33 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OU and Policies > > So are you saying that cannot be done? Then how do you > handle citrix servers? > > For example users logging into their computer should have the > settings from both policies but if they log into a Terminal > type server, how do you override that setting? Create an > entire new User Policy? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Friday, November 12, 2004 8:25 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OU and Policies > > Wow. Can you reword that? I think your saying that you have > a user in one OU, and a computer account in another with the > policy blocked. You want to know why user policy is being > applied to a user using a computer that is in an OU with > blocked policy (now you have me doing it :), right? > > Al > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rosales, Mario > Sent: Friday, November 12, 2004 9:06 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] OU and Policies > > Ok have a question hopefully some of you out there could help me out. > > We have > > MAINOU->OU1 > MAINOU->OU2 <-Block Policy Inheritance > > MAINOUT-> USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY > MAINOUT-> (Other Policy Settings) Enforced > > user1 in OU1 > Computer1 in ou2 > > When user1 logs in - the settings of User Policy still apply. > > Am I doing something wrong? > > Hope that makes sense > > Thanks, > Mario > > > ************************************************************** > ************* > The contents of this communication are intended only for the > addressee and may contain confidential and/or privileged > material. If you are not the intended recipient, please do > not read, copy, use or disclose this communication and notify > the sender. Opinions, conclusions and other information in > this communication that do not relate to the official > business of my company shall be understood as neither given > nor endorsed by it. > ************************************************************** > ************* > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > ************************************************************** > ************* > The contents of this communication are intended only for the > addressee and may contain confidential and/or privileged > material. If you are not the intended recipient, please do > not read, copy, use or disclose this communication and notify > the sender. Opinions, conclusions and other information in > this communication that do not relate to the official > business of my company shall be understood as neither given > nor endorsed by it. > ************************************************************** > ************* > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *************************************************************************** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *************************************************************************** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/