Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Windows Server General Help » Group Policy confusion
Group Policy confusion [message #164377] Mon, 22 June 2009 06:00 Go to next message
JHman  is currently offline JHman
Messages: 19
Registered: July 2009
Junior Member
This quote from the Microsoft Windows group policy guide, p73, confuses me
greatly:

"In Group Policy, Computer Configuration settings are processed when a
computer starts and accesses the network. User Configuration settings are
processed when a user logs on to the network. When there is a conflict
between settings in both Computer Configuration and User Configuration, the
Computer Configuration settings win."

Is this correct, or a typo??? Intuitively I would expect the opposite (since
user logon happens after computer startup) What does it mean exactly?

I would expect this quote to apply to an identical policy setting that is
both available in computer configuration and user configuration, where the
policy setting is processed in the COMPUTER configuration of a GPO that is
linked to a OU that contains the computer, and also processed in the USER
configuration of a GPO that is linked to a OU that contains the user. And
where the user and computer OUs can be found at the same level in the AD
domain.


I’ve done some testing with the “run programs at logon” policy setting,
which is available both in computer configuration and user configuration. I
have a computers OU and users OU at the same level in the domain. Linked a
“DISABLE run programs at logon” (in computer config) GPO to the computers OU,
and a “run notepad at logon” (in users config) GPO to the users OU. I run a
Group Policy Modelling in GPMC for a user in that users OU logging onto a PC
in that PC OU. The modelling shows that in principle BOTH these policy
settings will be processed (both displayed as “winning GPO”).

So I figured that the above quote would mean that in THIS case, the computer
policy would win. Which would mean that NO PROGRAM SHOULD RUN at user logon.
Yet, notepad DOES run at logon.

Am I missing something here, or is it just the case of a typo in the group
policy guide, and does the user configuration win since it is processed after
computer configuration?

The availability of both computer and user configuration settings in GPOs
EVEN when generally just one of the two will be processed (only exception
being loopback processing, where user configuration part IS processed and
enforced at startup of a computer?), can really be confusing, lol. Is it
normal practice to by default disable one of the two depending on whether a
OU to which the GPO is linked contains only computers or users?
Re: Group Policy confusion [message #164390 is a reply to message #164377] Mon, 22 June 2009 09:44 Go to previous messageGo to next message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
"JHman" <JHman@discussions.microsoft.com> wrote in message
news:B4222E23-CADE-4A90-864B-140B0C37824A@microsoft.com...
>
> This quote from the Microsoft Windows group policy guide, p73, confuses me
> greatly:
>
> "In Group Policy, Computer Configuration settings are processed when a
> computer starts and accesses the network. User Configuration settings are
> processed when a user logs on to the network. When there is a conflict
> between settings in both Computer Configuration and User Configuration,
> the
> Computer Configuration settings win."
>
> Is this correct, or a typo??? Intuitively I would expect the opposite
> (since
> user logon happens after computer startup) What does it mean exactly?
>
> I would expect this quote to apply to an identical policy setting that is
> both available in computer configuration and user configuration, where the
> policy setting is processed in the COMPUTER configuration of a GPO that is
> linked to a OU that contains the computer, and also processed in the USER
> configuration of a GPO that is linked to a OU that contains the user. And
> where the user and computer OUs can be found at the same level in the AD
> domain.
>
>
> Ive done some testing with the run programs at logon policy setting,
> which is available both in computer configuration and user configuration.
> I
> have a computers OU and users OU at the same level in the domain. Linked a
> DISABLE run programs at logon (in computer config) GPO to the computers
> OU,
> and a run notepad at logon (in users config) GPO to the users OU. I run
> a
> Group Policy Modelling in GPMC for a user in that users OU logging onto a
> PC
> in that PC OU. The modelling shows that in principle BOTH these policy
> settings will be processed (both displayed as winning GPO).
>
> So I figured that the above quote would mean that in THIS case, the
> computer
> policy would win. Which would mean that NO PROGRAM SHOULD RUN at user
> logon.
> Yet, notepad DOES run at logon.
>
> Am I missing something here, or is it just the case of a typo in the group
> policy guide, and does the user configuration win since it is processed
> after
> computer configuration?
>
> The availability of both computer and user configuration settings in GPOs
> EVEN when generally just one of the two will be processed (only exception
> being loopback processing, where user configuration part IS processed and
> enforced at startup of a computer?), can really be confusing, lol. Is it
> normal practice to by default disable one of the two depending on whether
> a
> OU to which the GPO is linked contains only computers or users?
>

When there is a conflict between user and computer settings, the computer
settings are enforced. In computer configuration when you select "disable"
for "run at user logon", this means to diable a previous "enable" setting.
This does not prevent an "enable" setting established in user configuration.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Re: Group Policy confusion [message #164393 is a reply to message #164390] Mon, 22 June 2009 10:36 Go to previous message
JHman  is currently offline JHman
Messages: 19
Registered: July 2009
Junior Member
Thanks, but I still don't really get it I'm afraid.

What would be an example of such a "conflict" between user and computer
configuration settings, then? How could I for example test this?

And will the computer configuration also override a user configuration
setting if the user configuration comes from a policy that is linked to a OU
"closer" to the user to which it applies? (in other words when normal
inheritance would override a setting of an identical policy element lower
down)


"Richard Mueller [MVP]" wrote:
> When there is a conflict between user and computer settings, the computer
> settings are enforced. In computer configuration when you select "disable"
> for "run at user logon", this means to diable a previous "enable" setting.
> This does not prevent an "enable" setting established in user configuration.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>
Previous Topic:multiple profiles for each user
Next Topic:Configure which NIC to broadcast DHCP when using multiple?
Goto Forum:
  


Current Time: Sun Aug 20 05:46:21 EDT 2017

Total time taken to generate the page: 0.05047 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software