Hi Mario, Maybe this is why you thought it was so hard! There is a policy under "Machine/ADM Templates/System/Group Policy" called "Use Group Policy LoopBack Mode". It all works easy then!
Have a look at the Explanation provided for the policy . Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml ----- Original Message ----- From: "Rosales, Mario" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, November 14, 2004 3:24 AM Subject: RE: [ActiveDir] OU and Policies > Thank you everyone for the information. > > So if loopback is the only option here. How do you handle doing loopbacks > for multiple servers? Do you create a local loopback policy on all the > computers you want affected and then Setup the Computer OU (OU2) with a gpo > with the instructions listed here -> > http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 > > I am assuming there is no way to do it through AD without having to touch > each citrix server, Correct? > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad > Sent: Friday, November 12, 2004 10:27 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OU and Policies > > > SO there are a few things going on here of which you should be aware. > > First, GPO's applied to users take precedence over GPO's applied to > computers. The general concept is that "closest" policy applies last. By > that I mean the default domain policy is applied first, then walking down > the OU hierarchy, and at the same level the computer policies get applied > before the user policies. > > Second, block inheritance only blocks it for the objects within the OU (and > the child Ous). So, you're only blocking inheritance to objects which exist > in OU2. Since that's the computer only, and the computer settings get > applied before the user settings, its working exactly as it should. > > Finally, you mentioned Citrix. I'm guessing what you're really trying to > accomplish is controlling users' rights when logged into a specific set of > machines only. What you want is called Loopback processing. It's one of the > other options for GPO's, and basically it will force the computer policy to > override the users' policies. Its not quite that simple, and it does have > some drawbacks from what I remember. But that's what you're looking to do. > > -------- > Roger Seielstad > E-mail Geek & MS-MVP > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Rosales, Mario > > Sent: Friday, November 12, 2004 6:33 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] OU and Policies > > > > So are you saying that cannot be done? Then how do you > > handle citrix servers? > > > > For example users logging into their computer should have the > > settings from both policies but if they log into a Terminal > > type server, how do you override that setting? Create an > > entire new User Policy? > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > > Sent: Friday, November 12, 2004 8:25 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] OU and Policies > > > > Wow. Can you reword that? I think your saying that you have > > a user in one OU, and a computer account in another with the > > policy blocked. You want to know why user policy is being > > applied to a user using a computer that is in an OU with > > blocked policy (now you have me doing it :), right? > > > > Al > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Rosales, Mario > > Sent: Friday, November 12, 2004 9:06 AM > > To: '[EMAIL PROTECTED]' > > Subject: [ActiveDir] OU and Policies > > > > Ok have a question hopefully some of you out there could help me out. > > > > We have > > > > MAINOU->OU1 > > MAINOU->OU2 <-Block Policy Inheritance > > > > MAINOUT-> USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY > > MAINOUT-> (Other Policy Settings) Enforced > > > > user1 in OU1 > > Computer1 in ou2 > > > > When user1 logs in - the settings of User Policy still apply. > > > > Am I doing something wrong? > > > > Hope that makes sense > > > > Thanks, > > Mario > > > > > > ************************************************************** > > ************* > > The contents of this communication are intended only for the > > addressee and may contain confidential and/or privileged > > material. If you are not the intended recipient, please do > > not read, copy, use or disclose this communication and notify > > the sender. Opinions, conclusions and other information in > > this communication that do not relate to the official > > business of my company shall be understood as neither given > > nor endorsed by it. > > ************************************************************** > > ************* > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > ************************************************************** > > ************* > > The contents of this communication are intended only for the > > addressee and may contain confidential and/or privileged > > material. If you are not the intended recipient, please do > > not read, copy, use or disclose this communication and notify > > the sender. Opinions, conclusions and other information in > > this communication that do not relate to the official > > business of my company shall be understood as neither given > > nor endorsed by it. > > ************************************************************** > > ************* > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > *************************************************************************** > The contents of this communication are intended only for the addressee and > may contain confidential and/or privileged material. If you are not the > intended recipient, please do not read, copy, use or disclose this > communication and notify the sender. Opinions, conclusions and other > information in this communication that do not relate to the official > business of my company shall be understood as neither given nor endorsed by > it. > *************************************************************************** > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
