Re: [ActiveDir] OU and Policies
Doh! You should have stuck to your guns James! My only defence is that I had never actually used User components in site policies before. I have now and agree that the User does receive the User based settings that exist in the policies connected to the site. Alan C - Original Message - From: Jeff Salisbury [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 5:26 AM Subject: RE: [ActiveDir] OU and Policies I use Site GPOs extensively to have Site-specific logon scripts run. I just double-checked, and the logon/logoff script settings are definitely in the User portion of the GPO. If I remember correctly, the computer determines what site it is in during GPO processing, and applies any associated Site GPO objects. This includes both parts of Site GPOs. In our case the logon script associated with the Site is launched from the User portion of the GPO, and maps the drives appropriate for that site. User settings in Domain or OU policies will be applied after settings from the Site GPO, so they may override whatever User or Computer settings you are trying to apply in the Site GPO (Local-Site-Domain-OU...). Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services www.belkin.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 12, 2004 2:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and Policies Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/13/2004 08:58 AM| | | ZE11 | | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | --- ---| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com
RE: [ActiveDir] OU and Policies
Well, it depends... If you wish all your terminal servers to get the same policy, just put them all in one OU... Apply the policy there, and you're set. If you have multiple different policies to apply, you may need more OU's. Policies have a scope ...It's kind of like it has to be over the object, user or computer. So, if you have a TS OU, and the users and computers aren't nested under that same structure, you can control what policy they get only when they TS. John Rosales, Mario [EMAIL PROTECTED] com To Sent by: '[EMAIL PROTECTED]' [EMAIL PROTECTED] [EMAIL PROTECTED] ail.activedir.org cc Subject 11/13/2004 10:24 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org Thank you everyone for the information. So if loopback is the only option here. How do you handle doing loopbacks for multiple servers? Do you create a local loopback policy on all the computers you want affected and then Setup the Computer OU (OU2) with a gpo with the instructions listed here - http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 I am assuming there is no way to do it through AD without having to touch each citrix server, Correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Friday, November 12, 2004 10:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies SO there are a few things going on here of which you should be aware. First, GPO's applied to users take precedence over GPO's applied to computers. The general concept is that closest policy applies last. By that I mean the default domain policy is applied first, then walking down the OU hierarchy, and at the same level the computer policies get applied before the user policies. Second, block inheritance only blocks it for the objects within the OU (and the child Ous). So, you're only blocking inheritance to objects which exist in OU2. Since that's the computer only, and the computer settings get applied before the user settings, its working exactly as it should. Finally, you mentioned Citrix. I'm guessing what you're really trying to accomplish is controlling users' rights when logged into a specific set of machines only. What you want is called Loopback processing. It's one of the other options for GPO's, and basically it will force the computer policy to override the users' policies. Its not quite that simple, and it does have some drawbacks from what I remember. But that's what you're looking to do. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 6:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have
Re: [ActiveDir] OU and Policies
Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/13/2004 08:58 AM| | | ZE11 | | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | --| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml - Original Message - From: Rosales, Mario [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 13, 2004 4:16 AM Subject: RE: [ActiveDir] OU and Policies So In your previous e-mail you said split the sites but do we really want to do that? So if I were trying to do the terminal server policies. For Site I could do a User Policy Then for the terminal servers I create the ou and put the User Policy settings I want at that ou. That will override the OU Settings at the site level? Did I understand that correctly? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 10:49 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Hi Mario Either Loopback policies or Site policies. Site policies will work based on the site (determined by the IP Subnet) of the computer the user logs into. They will be overwritten by OU GPOs or domain GPOs but they will give you the option of two separate user policies for the same user. Regards; James R. Day
RE: [ActiveDir] OU and Policies
Well everyone, after all the questions and answers, I finally have it figure out. I appreciate all the help everyone has given me. Whew, I feel like if I just went though my College final exams! THANKS FOR YOUR HELP EVERYONE!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 4:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and Policies Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/13/2004 08:58 AM| | | ZE11 | | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | --- ---| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml - Original Message - From: Rosales, Mario [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 13, 2004 4:16 AM Subject: RE: [ActiveDir] OU and Policies So In your previous e-mail you said split the sites but do we really want to do that? So if I were trying to do the terminal server policies. For Site I could do a User Policy Then for the terminal servers I create the ou and put the User Policy settings I want at that ou. That will override the OU Settings at the site level? Did I understand that correctly? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 10:49 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Hi Mario Either Loopback policies or Site policies. Site policies will work based on the site (determined by the IP Subnet) of the computer the user logs into. They will be overwritten by OU
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document: wasJustin Leney/US/DCI received by: at:11/15/2004 10:04:48 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
I use Site GPOs extensively to have Site-specific logon scripts run. I just double-checked, and the logon/logoff script settings are definitely in the User portion of the GPO. If I remember correctly, the computer determines what site it is in during GPO processing, and applies any associated Site GPO objects. This includes both parts of Site GPOs. In our case the logon script associated with the Site is launched from the User portion of the GPO, and maps the drives appropriate for that site. User settings in Domain or OU policies will be applied after settings from the Site GPO, so they may override whatever User or Computer settings you are trying to apply in the Site GPO (Local-Site-Domain-OU...). Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services www.belkin.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 12, 2004 2:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and Policies Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/13/2004 08:58 AM| | | ZE11 | | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | --| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Confidential This e-mail and any files transmitted
RE: [ActiveDir] OU and Policies
Thank you everyone for the information. So if loopback is the only option here. How do you handle doing loopbacks for multiple servers? Do you create a local loopback policy on all the computers you want affected and then Setup the Computer OU (OU2) with a gpo with the instructions listed here - http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 I am assuming there is no way to do it through AD without having to touch each citrix server, Correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Friday, November 12, 2004 10:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies SO there are a few things going on here of which you should be aware. First, GPO's applied to users take precedence over GPO's applied to computers. The general concept is that closest policy applies last. By that I mean the default domain policy is applied first, then walking down the OU hierarchy, and at the same level the computer policies get applied before the user policies. Second, block inheritance only blocks it for the objects within the OU (and the child Ous). So, you're only blocking inheritance to objects which exist in OU2. Since that's the computer only, and the computer settings get applied before the user settings, its working exactly as it should. Finally, you mentioned Citrix. I'm guessing what you're really trying to accomplish is controlling users' rights when logged into a specific set of machines only. What you want is called Loopback processing. It's one of the other options for GPO's, and basically it will force the computer policy to override the users' policies. Its not quite that simple, and it does have some drawbacks from what I remember. But that's what you're looking to do. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 6:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company
Re: [ActiveDir] OU and Policies
Hi Mario, Maybe this is why you thought it was so hard! There is a policy under Machine/ADM Templates/System/Group Policy called Use Group Policy LoopBack Mode. It all works easy then! Have a look at the Explanation provided for the policy . Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Rosales, Mario [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 14, 2004 3:24 AM Subject: RE: [ActiveDir] OU and Policies Thank you everyone for the information. So if loopback is the only option here. How do you handle doing loopbacks for multiple servers? Do you create a local loopback policy on all the computers you want affected and then Setup the Computer OU (OU2) with a gpo with the instructions listed here - http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 I am assuming there is no way to do it through AD without having to touch each citrix server, Correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Friday, November 12, 2004 10:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies SO there are a few things going on here of which you should be aware. First, GPO's applied to users take precedence over GPO's applied to computers. The general concept is that closest policy applies last. By that I mean the default domain policy is applied first, then walking down the OU hierarchy, and at the same level the computer policies get applied before the user policies. Second, block inheritance only blocks it for the objects within the OU (and the child Ous). So, you're only blocking inheritance to objects which exist in OU2. Since that's the computer only, and the computer settings get applied before the user settings, its working exactly as it should. Finally, you mentioned Citrix. I'm guessing what you're really trying to accomplish is controlling users' rights when logged into a specific set of machines only. What you want is called Loopback processing. It's one of the other options for GPO's, and basically it will force the computer policy to override the users' policies. Its not quite that simple, and it does have some drawbacks from what I remember. But that's what you're looking to do. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 6:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org
RE: [ActiveDir] OU and Policies
Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document: wasJustin Leney/US/DCI received by: at:11/12/2004 09:31:42 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
When User1 logs into Computer1 User Policy still applies to the user logged into Computer1. Does that help? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Hi Mario From what you have written, you are blocking inheritance on OU2 but the user is in OU1. The GPO is applied at MAINOU, will be inherited by all objects in OU1, but not by any objects in OU2. The computer policy is enforced so it is inherited by all objects in OU2 that are computers. The user policy is applied above and is inherited by all objects that are users in OU1. If you want to block the user policy, either block inheritance at OU1, or put the user in OU2. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Rosales, Mario | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/12/2004 08:26 AM CST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: Rosales, Mario [EMAIL PROTECTED], '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] OU and Policies | --| This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Hi Mario You could always use a site policy to apply the user settings. Any user that authenticates from the AD site X gets the user policy while any user that authenticates in any other site does not. You could then put the subnet with your Citrix server in a different site, use the Site coverage settings to make your DC cover both sites and voila. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Rosales, Mario | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/12/2004 08:33 AM CST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] OU and Policies | --| So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http
RE: [ActiveDir] OU and Policies
On terminal servers, loopbacks work well. Makes the user settings apply to the computer. John Rosales, Mario [EMAIL PROTECTED] com To Sent by: '[EMAIL PROTECTED]' [EMAIL PROTECTED] [EMAIL PROTECTED] ail.activedir.org cc Subject 11/12/2004 08:33 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
I think Mario is looking for http://support.microsoft.com/kb/260370/EN-US/ Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Fri 11/12/2004 6:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
I was expecting that but I guess it did not work that way. What if I just add another user policy under that OU with those setting set to something different? That will override correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
I know I am replying to different people and I apologize. We did do a loopback on the Citrix servers but it does not seem to be overriding. Is there something in particular that I have to do that I am missing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies On terminal servers, loopbacks work well. Makes the user settings apply to the computer. John Rosales, Mario [EMAIL PROTECTED] com To Sent by: '[EMAIL PROTECTED]' [EMAIL PROTECTED] [EMAIL PROTECTED] ail.activedir.org cc Subject 11/12/2004 08:33 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document: wasJustin Leney/US/DCI received by: at:11/12/2004 10:00:58 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Since the computer (not the user) is in OU2 with inheritance blocked, you are only preventing the user from getting the computer policy, Based on what you have set up, the user will get the user policy no matter what OU his computer is in. The results you are getting are consistent with what you have configured, so perhaps you can tell us what you are trying to accomplish. :-) Michael Parent MCSE MCT Analyst (Microsoft Web / Directory Services) CGI (902) 453-7300 x3456 Rosales, Mario [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/12/2004 10:24 AM Please respond to ActiveDir To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Loopbacks can be set on either merge or replace. replace is probably what you need. John Rosales, Mario [EMAIL PROTECTED] com To Sent by: '[EMAIL PROTECTED]' [EMAIL PROTECTED] [EMAIL PROTECTED] ail.activedir.org cc Subject 11/12/2004 08:54 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org I know I am replying to different people and I apologize. We did do a loopback on the Citrix servers but it does not seem to be overriding. Is there something in particular that I have to do that I am missing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies On terminal servers, loopbacks work well. Makes the user settings apply to the computer. John Rosales, Mario [EMAIL PROTECTED] com To Sent by: '[EMAIL PROTECTED]' [EMAIL PROTECTED] [EMAIL PROTECTED] ail.activedir.org cc Subject 11/12/2004 08:33 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents
RE: [ActiveDir] OU and Policies
There you go again with that confounded thinking ;) You're probably right though sigh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 9:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies I think Mario is looking for http://support.microsoft.com/kb/260370/EN-US/ Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Fri 11/12/2004 6:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER MAINOUT- POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Hi Mario Short of using Loopback, user GPOs apply on all users inside the OU at which the GPO is applied. IE: OU1 -GPO1 OU2 - GPO2 User 1 is in OU1 User 2 is in OU2 User1 will then get the GPO1 regardless where he logs in from because his user account is in OU1. User2 will always get GPO2 for the same reason. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Rosales, Mario | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/12/2004 08:52 AM CST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] OU and Policies | --| I was expecting that but I guess it did not work that way. What if I just add another user policy under that OU with those setting set to something different? That will override correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ
RE: [ActiveDir] OU and Policies
Don't blame me. It's the voices in my head ;-p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Fri 11/12/2004 7:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies There you go again with that confounded thinking ;) You're probably right though sigh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 9:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies I think Mario is looking for http://support.microsoft.com/kb/260370/EN-US/ Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Fri 11/12/2004 6:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER MAINOUT- POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OU and Policies
OK, this is getting a bit convoluted, so let me see if I get what you are asking: If you have: OU1, with User_GPO1 linked, containing a user object User1 And OU2, with Inheritance Blocking, with PC_GPO linked, and containing computer object PC1 These are not nested (meaning, OU1 and OU2 are peers in your structure) User1 logs on to PC1. Would creating and linking a new policy at OU2 (let's call it User_GPO2) allow you to offset the user settings you are getting from User_GPO1 when User1 logs into PC1. The answer is no. User policies apply from the GPO structure to which the user belongs, not the PC. Having said that, the loopback suggestion does get you around this. Without loopback, the User in OU1 is still going to get his GPOs applied (well, the User portion of them, anyhow). On 11/12/04 9:52 AM, Rosales, Mario [EMAIL PROTECTED] wrote: I was expecting that but I guess it did not work that way. What if I just add another user policy under that OU with those setting set to something different? That will override correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin MAINOUT- COMPUTER POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed
RE: [ActiveDir] OU and Policies
We are trying to make terminal server policies. BUt doing loopbacks might be a lot of work just because of the quantity. THat is why we are trying to do GPO through AD even the article stated earlier did not work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, November 12, 2004 9:04 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OU and Policies Since the computer (not the user) is in OU2 with inheritance blocked, you are only preventing the user from getting the computer policy, Based on what you have set up, the user will get the user policy no matter what OU his computer is in. The results you are getting are consistent with what you have configured, so perhaps you can tell us what you are trying to accomplish. :-) Michael Parent MCSE MCTAnalyst (Microsoft Web / Directory Services)CGI (902) 453-7300 x3456 "Rosales, Mario" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/12/2004 10:24 AM Please respond to ActiveDir To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] OU and PoliciesCorrection -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Rosales, MarioSent: Friday, November 12, 2004 8:06 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] OU and PoliciesOk have a question hopefully some of you out there could help me out.We have MAINOU-OU1MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver SettinMAINOUT- COMPUTER POLICY (Other Policy Settings) Enforceduser1 in OU1Computer1 in ou2When user1 logs in - the settings of User Policy still apply.Am I doing something wrong?Hope that makes senseThanks,Mario***The contents of this communication are intended only for the addressee andmay contain confidential and/or privileged material. If you are not theintended recipient, please do not read, copy, use or disclose thiscommunication and notify the sender. Opinions, conclusions and otherinformation in this communication that do not relate to the officialbusiness of my company shall be understood as neither given nor endorsed byit. *** List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/*** The contents of this communication are intended only for the addressee andmay contain confidential and/or privileged material. If you are not theintended recipient, please do not read, copy, use or disclose thiscommunication and notify the sender. Opinions, conclusions and otherinformation in this communication that do not relate to the officialbusiness of my company shall be understood as neither given nor endorsed byit. *** List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ***
RE: [ActiveDir] OU and Policies
So no matter what you do if you want to override user settings you have to use loopback policies? Sorry if I repeat myself I just want to make sure I understand this properly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Friday, November 12, 2004 9:46 AM To: ActiveDir List Subject: Re: [ActiveDir] OU and Policies OK, this is getting a bit convoluted, so let me see if I get what you are asking: If you have: OU1, with User_GPO1 linked, containing a user object User1 And OU2, with Inheritance Blocking, with PC_GPO linked, and containing computer object PC1 These are not nested (meaning, OU1 and OU2 are peers in your structure) User1 logs on to PC1. Would creating and linking a new policy at OU2 (let's call it User_GPO2) allow you to offset the user settings you are getting from User_GPO1 when User1 logs into PC1. The answer is no. User policies apply from the GPO structure to which the user belongs, not the PC. Having said that, the loopback suggestion does get you around this. Without loopback, the User in OU1 is still going to get his GPOs applied (well, the User portion of them, anyhow). On 11/12/04 9:52 AM, Rosales, Mario [EMAIL PROTECTED] wrote: I was expecting that but I guess it did not work that way. What if I just add another user policy under that OU with those setting set to something different? That will override correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER MAINOUT- POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** * The contents of this communication are intended only
RE: [ActiveDir] OU and Policies
yes. read up on loopback. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rosales, Mario Sent: Fri 11/12/2004 8:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies So no matter what you do if you want to override user settings you have to use loopback policies? Sorry if I repeat myself I just want to make sure I understand this properly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Friday, November 12, 2004 9:46 AM To: ActiveDir List Subject: Re: [ActiveDir] OU and Policies OK, this is getting a bit convoluted, so let me see if I get what you are asking: If you have: OU1, with User_GPO1 linked, containing a user object User1 And OU2, with Inheritance Blocking, with PC_GPO linked, and containing computer object PC1 These are not nested (meaning, OU1 and OU2 are peers in your structure) User1 logs on to PC1. Would creating and linking a new policy at OU2 (let's call it User_GPO2) allow you to offset the user settings you are getting from User_GPO1 when User1 logs into PC1. The answer is no. User policies apply from the GPO structure to which the user belongs, not the PC. Having said that, the loopback suggestion does get you around this. Without loopback, the User in OU1 is still going to get his GPOs applied (well, the User portion of them, anyhow). On 11/12/04 9:52 AM, Rosales, Mario [EMAIL PROTECTED] wrote: I was expecting that but I guess it did not work that way. What if I just add another user policy under that OU with those setting set to something different? That will override correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER MAINOUT- POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive
RE: [ActiveDir] OU and Policies
No, you can have layers of user policies, and OU's, and change settings later, filter by groups etc. The problem with this approach is, once you set a setting, there's no way to get them back to not configured. If you enable something, later on you have to disable it. This is not desireable in some cases as it's not very user friendly. There is no way for a user to change a setting when enforced either way by policy. John Rosales, Mario [EMAIL PROTECTED] com To Sent by: '[EMAIL PROTECTED]' [EMAIL PROTECTED] [EMAIL PROTECTED] ail.activedir.org cc Subject 11/12/2004 10:37 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org So no matter what you do if you want to override user settings you have to use loopback policies? Sorry if I repeat myself I just want to make sure I understand this properly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Friday, November 12, 2004 9:46 AM To: ActiveDir List Subject: Re: [ActiveDir] OU and Policies OK, this is getting a bit convoluted, so let me see if I get what you are asking: If you have: OU1, with User_GPO1 linked, containing a user object User1 And OU2, with Inheritance Blocking, with PC_GPO linked, and containing computer object PC1 These are not nested (meaning, OU1 and OU2 are peers in your structure) User1 logs on to PC1. Would creating and linking a new policy at OU2 (let's call it User_GPO2) allow you to offset the user settings you are getting from User_GPO1 when User1 logs into PC1. The answer is no. User policies apply from the GPO structure to which the user belongs, not the PC. Having said that, the loopback suggestion does get you around this. Without loopback, the User in OU1 is still going to get his GPOs applied (well, the User portion of them, anyhow). On 11/12/04 9:52 AM, Rosales, Mario [EMAIL PROTECTED] wrote: I was expecting that but I guess it did not work that way. What if I just add another user policy under that OU with those setting set to something different? That will override correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER MAINOUT- POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only for the addressee and may
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document: wasJustin Leney/US/DCI received by: at:11/12/2004 11:47:02 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Hi Mario Either Loopback policies or Site policies. Site policies will work based on the site (determined by the IP Subnet) of the computer the user logs into. They will be overwritten by OU GPOs or domain GPOs but they will give you the option of two separate user policies for the same user. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Rosales, Mario | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/12/2004 10:37 AM CST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] OU and Policies | --| So no matter what you do if you want to override user settings you have to use loopback policies? Sorry if I repeat myself I just want to make sure I understand this properly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Friday, November 12, 2004 9:46 AM To: ActiveDir List Subject: Re: [ActiveDir] OU and Policies OK, this is getting a bit convoluted, so let me see if I get what you are asking: If you have: OU1, with User_GPO1 linked, containing a user object User1 And OU2, with Inheritance Blocking, with PC_GPO linked, and containing computer object PC1 These are not nested (meaning, OU1 and OU2 are peers in your structure) User1 logs on to PC1. Would creating and linking a new policy at OU2 (let's call it User_GPO2) allow you to offset the user settings you are getting from User_GPO1 when User1 logs into PC1. The answer is no. User policies apply from the GPO structure to which the user belongs, not the PC. Having said that, the loopback suggestion does get you around this. Without loopback, the User in OU1 is still going to get his GPOs applied (well, the User portion of them, anyhow). On 11/12/04 9:52 AM, Rosales, Mario [EMAIL PROTECTED] wrote: I was expecting that but I guess it did not work that way. What if I just add another user policy under that OU with those setting set to something different? That will override correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER MAINOUT- POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only
RE: [ActiveDir] OU and Policies
So In your previous e-mail you said split the sites but do we really want to do that? So if I were trying to do the terminal server policies. For Site I could do a User Policy Then for the terminal servers I create the ou and put the User Policy settings I want at that ou. That will override the OU Settings at the site level? Did I understand that correctly? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 10:49 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Hi Mario Either Loopback policies or Site policies. Site policies will work based on the site (determined by the IP Subnet) of the computer the user logs into. They will be overwritten by OU GPOs or domain GPOs but they will give you the option of two separate user policies for the same user. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Rosales, Mario | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/12/2004 10:37 AM CST| | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] OU and Policies | --- ---| So no matter what you do if you want to override user settings you have to use loopback policies? Sorry if I repeat myself I just want to make sure I understand this properly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Friday, November 12, 2004 9:46 AM To: ActiveDir List Subject: Re: [ActiveDir] OU and Policies OK, this is getting a bit convoluted, so let me see if I get what you are asking: If you have: OU1, with User_GPO1 linked, containing a user object User1 And OU2, with Inheritance Blocking, with PC_GPO linked, and containing computer object PC1 These are not nested (meaning, OU1 and OU2 are peers in your structure) User1 logs on to PC1. Would creating and linking a new policy at OU2 (let's call it User_GPO2) allow you to offset the user settings you are getting from User_GPO1 when User1 logs into PC1. The answer is no. User policies apply from the GPO structure to which the user belongs, not the PC. Having said that, the loopback suggestion does get you around this. Without loopback, the User in OU1 is still going to get his GPOs applied (well, the User portion of them, anyhow). On 11/12/04 9:52 AM, Rosales, Mario [EMAIL PROTECTED] wrote: I was expecting that but I guess it did not work that way. What if I just add another user policy under that OU with those setting set to something different? That will override correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Ok. Did you not expect the user policy to still apply? The user is not in OU2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:26 AM To: Rosales, Mario; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies This is the correction MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER MAINOUT- POLICY(Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. -Original Message- From: Rosales, Mario Sent: Friday, November 12, 2004 8:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies Correction -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 8:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance) MAINOUT- USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document : was Lucia Washaya/UNAMSIL received by: at: 12/11/2004 17:18:42 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document : was Lucia Washaya/UNAMSIL received by: at: 12/11/2004 17:18:40 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document : was Lucia Washaya/UNAMSIL received by: at: 12/11/2004 17:52:15 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document : was Lucia Washaya/UNAMSIL received by: at: 12/11/2004 18:30:28 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document : was Lucia Washaya/UNAMSIL received by: at: 12/11/2004 18:33:46 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OU and Policies
Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml - Original Message - From: Rosales, Mario [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 13, 2004 4:16 AM Subject: RE: [ActiveDir] OU and Policies So In your previous e-mail you said split the sites but do we really want to do that? So if I were trying to do the terminal server policies. For Site I could do a User Policy Then for the terminal servers I create the ou and put the User Policy settings I want at that ou. That will override the OU Settings at the site level? Did I understand that correctly? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 10:49 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Hi Mario Either Loopback policies or Site policies. Site policies will work based on the site (determined by the IP Subnet) of the computer the user logs into. They will be overwritten by OU GPOs or domain GPOs but they will give you the option of two separate user policies for the same user. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Rosales, Mario | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/12/2004 10:37 AM CST| | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] OU and Policies | --- ---| So no matter what you do if you want to override user settings you have to use loopback policies? Sorry if I repeat myself I just want to make sure I understand this properly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Friday, November 12, 2004 9:46 AM To: ActiveDir List Subject: Re: [ActiveDir] OU and Policies OK, this is getting a bit convoluted, so let me see if I get what you are asking: If you have: OU1, with User_GPO1 linked, containing a user object User1 And OU2, with Inheritance Blocking, with PC_GPO linked, and containing computer object PC1 These are not nested (meaning, OU1 and OU2 are peers in your structure) User1 logs on to PC1. Would creating and linking a new
RE: [ActiveDir] OU and Policies
SO there are a few things going on here of which you should be aware. First, GPO's applied to users take precedence over GPO's applied to computers. The general concept is that closest policy applies last. By that I mean the default domain policy is applied first, then walking down the OU hierarchy, and at the same level the computer policies get applied before the user policies. Second, block inheritance only blocks it for the objects within the OU (and the child Ous). So, you're only blocking inheritance to objects which exist in OU2. Since that's the computer only, and the computer settings get applied before the user settings, its working exactly as it should. Finally, you mentioned Citrix. I'm guessing what you're really trying to accomplish is controlling users' rights when logged into a specific set of machines only. What you want is called Loopback processing. It's one of the other options for GPO's, and basically it will force the computer policy to override the users' policies. Its not quite that simple, and it does have some drawbacks from what I remember. But that's what you're looking to do. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 6:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/