Thanks for pointed out my boneheadedness - site policies will apply on the
computer but do not apply to the user because, obviously, a user will never
be part of an ip subnet. The site policies would work well for applying
laptop settings for travelling laptops, not for setting user settings for
multiple machines.
Sorry for any confusion I caused during my caffeine lacking state this
morning.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
|---------+---------------------------------->
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 11/13/2004 08:58 AM |
| | ZE11 |
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: <[EMAIL PROTECTED]>
|
| cc: (bcc: James Day/Contractor/NPS)
|
| Subject: Re: [ActiveDir] OU and Policies
|
>------------------------------------------------------------------------------------------------------------------------------|
Mario,
I think you have got it now...
The OU that the USER belongs to should contain the policies you normally
want
The OU the Citrix server belongs to should contain the Loopback option
enabled. It should also contain the User polices that you want the user to
get when they log on to Citrix
If you set Loopback processing to REPLACE, then the User will ONLY get the
settings defined in the Citrix OU
If you set Loopback processing to MERGE, then the User will get the their
normal settings, followed by those in the Citrix OU.
I normally prefer MERGE since you don't have to create your common policies
twice.
The blocking of policies confuses the situation and just
Note: I think James is mistaken about Site Policies. My understanding is
that all that sites policies do is add another set of policies that the
machines receive. It does not effect the user settings Admittedly, if
Loopback processing is enabled, the user will get the User component of the
policies held in the CITRIX OU policy plus the User polices held in the
site
policy.
Can I just put in a plug for our free Policy Log Reporter. It makes it very
easy to see exactly what is happening on the machine when policies were
applied, i.e what OU's and sites were checked, what policies were found,
what were rejected because of security, what was rejected because of
blocking, what was used because of loopback etc. Of course all the
information is in the UserENV log, but you have to be someone like Darren
to
understand it!
http://www.sysprosoft.com/index.php?ref=activedir2&f=policyreporter.shtml
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir2&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir2&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir2&f=policyreporter.shtml
----- Original Message -----
From: "Rosales, Mario" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, November 13, 2004 4:16 AM
Subject: RE: [ActiveDir] OU and Policies
> So In your previous e-mail you said split the sites but do we really want
to
> do that?
>
> So if I were trying to do the terminal server policies.
>
> For Site I could do a User Policy
> Then for the terminal servers I create the ou and put the User Policy
> settings I want at that ou. That will override the OU Settings at the
site
> level? Did I understand that correctly?
>
> Thanks,
> Mario
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, November 12, 2004 10:49 AM
> To: [EMAIL PROTECTED]
> Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] OU and Policies
>
> Hi Mario
>
> Either Loopback policies or Site policies. Site policies will work based
on
> the site (determined by the IP Subnet) of the computer the user logs
into.
> They will be overwritten by OU GPOs or domain GPOs but they will give you
> the option of two separate user policies for the same user.
>
> Regards;
>
> James R. Day
> Active Directory Core Team
> Office of the Chief Information Officer
> National Park Service
> (202) 354-1464 (direct)
> (202) 371-1549 (fax)
> [EMAIL PROTECTED]
>
>
> |---------+---------------------------------->
> | | "Rosales, Mario" |
> | | <[EMAIL PROTECTED]> |
> | | Sent by: |
> | | [EMAIL PROTECTED]|
> | | tivedir.org |
> | | |
> | | |
> | | 11/12/2004 10:37 AM CST|
> | | Please respond to |
> | | ActiveDir |
> |---------+---------------------------------->
>
>
>---------------------------------------------------------------------------
> ---------------------------------------------------|
> |
> |
> | To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>
> |
> | cc: (bcc: James Day/Contractor/NPS)
> |
> | Subject: RE: [ActiveDir] OU and Policies
> |
>
>
>---------------------------------------------------------------------------
> ---------------------------------------------------|
>
>
>
>
> So no matter what you do if you want to override user settings you have
to
> use loopback policies? Sorry if I repeat myself I just want to make sure
I
> understand this properly.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza
> Sent: Friday, November 12, 2004 9:46 AM
> To: ActiveDir List
> Subject: Re: [ActiveDir] OU and Policies
>
> OK, this is getting a bit convoluted, so let me see if I get what you are
> asking:
>
> If you have:
>
> OU1, with User_GPO1 linked, containing a user object User1
>
> And OU2, with Inheritance Blocking, with PC_GPO linked, and containing
> computer object PC1
>
> These are not nested (meaning, OU1 and OU2 are peers in your structure)
>
> User1 logs on to PC1.
>
> Would creating and linking a new policy at OU2 (let's call it User_GPO2)
> allow you to offset the user settings you are getting from User_GPO1 when
> User1 logs into PC1.
>
> The answer is no. User policies apply from the GPO structure to which
the
> user belongs, not the PC. Having said that, the loopback suggestion does
> get you around this. Without loopback, the User in OU1 is still going to
> get his GPOs applied (well, the User portion of them, anyhow).
>
>
> On 11/12/04 9:52 AM, "Rosales, Mario" <[EMAIL PROTECTED]> wrote:
>
> > I was expecting that but I guess it did not work that way. What if I
> > just add another user policy under that OU with those setting set to
> > something different? That will override correct?
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> > Sent: Friday, November 12, 2004 8:33 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] OU and Policies
> >
> > Ok. Did you not expect the user policy to still apply? The user is
> > not in OU2.
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rosales,
> > Mario
> > Sent: Friday, November 12, 2004 9:26 AM
> > To: Rosales, Mario; '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] OU and Policies
> >
> >
> > This is the correction
> >
> >
> > MAINOU->OU1
> > MAINOU->OU2 <-Block Policy Inheritance)
> >
> > MAINOUT-> USER POLICY (Lock Down ScreenSaver Settin COMPUTER
> > MAINOUT-> POLICY(Other Policy Settings) Enforced
> >
> > user1 in OU1
> > Computer1 in ou2
> >
> > When user1 logs in - the settings of User Policy still apply.
> >
> >
> > -----Original Message-----
> > From: Rosales, Mario
> > Sent: Friday, November 12, 2004 8:25 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] OU and Policies
> >
> > Correction
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rosales,
> > Mario
> > Sent: Friday, November 12, 2004 8:06 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: [ActiveDir] OU and Policies
> >
> > Ok have a question hopefully some of you out there could help me out.
> >
> > We have
> >
> > MAINOU->OU1
> > MAINOU->OU2 <-Block Policy Inheritance)
> >
> > MAINOUT-> USER POLICY (Lock Down ScreenSaver Settin COMPUTER POLICY
> > MAINOUT-> (Other Policy Settings) Enforced
> >
> > user1 in OU1
> > Computer1 in ou2
> >
> > When user1 logs in - the settings of User Policy still apply.
> >
> > Am I doing something wrong?
> >
> > Hope that makes sense
> >
> > Thanks,
> > Mario
> >
> >
> > **********************************************************************
> > ***** The contents of this communication are intended only for the
> > addressee and may contain confidential and/or privileged material. If
> > you are not the intended recipient, please do not read, copy, use or
> > disclose this communication and notify the sender. Opinions,
> > conclusions and other information in this communication that do not
> > relate to the official business of my company shall be understood as
> > neither given nor endorsed by it.
> > **********************************************************************
> > *****
> >
> >
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> > **********************************************************************
> > ***** The contents of this communication are intended only for the
> > addressee and may contain confidential and/or privileged material. If
> > you are not the intended recipient, please do not read, copy, use or
> > disclose this communication and notify the sender. Opinions,
> > conclusions and other information in this communication that do not
> > relate to the official business of my company shall be understood as
> > neither given nor endorsed by it.
> > **********************************************************************
> > *****
> >
> >
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> >
> > **********************************************************************
> > ***** The contents of this communication are intended only for the
> > addressee and may contain confidential and/or privileged material. If
> > you are not the intended recipient, please do not read, copy, use or
> > disclose this communication and notify the sender. Opinions,
> > conclusions and other information in this communication that do not
> > relate to the official business of my company shall be understood as
> > neither given nor endorsed by it.
> > **********************************************************************
> > *****
> >
> >
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
***************************************************************************
>
> The contents of this communication are intended only for the addressee
and
> may contain confidential and/or privileged material. If you are not the
> intended recipient, please do not read, copy, use or disclose this
> communication and notify the sender. Opinions, conclusions and other
> information in this communication that do not relate to the official
> business of my company shall be understood as neither given nor endorsed
by
> it.
>
***************************************************************************
>
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
***************************************************************************
> The contents of this communication are intended only for the addressee
and
> may contain confidential and/or privileged material. If you are not the
> intended recipient, please do not read, copy, use or disclose this
> communication and notify the sender. Opinions, conclusions and other
> information in this communication that do not relate to the official
> business of my company shall be understood as neither given nor endorsed
by
> it.
>
***************************************************************************
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
