I use Site GPOs extensively to have Site-specific logon scripts run. I just double-checked, and the logon/logoff script settings are definitely in the User portion of the GPO.
If I remember correctly, the computer determines what site it is in during GPO processing, and applies any associated Site GPO objects. This includes both parts of Site GPOs. In our case the logon script associated with the Site is launched from the User portion of the GPO, and maps the drives appropriate for that site. User settings in Domain or OU policies will be applied after settings from the Site GPO, so they may override whatever User or Computer settings you are trying to apply in the Site GPO (Local->Site->Domain->OU...). Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services www.belkin.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 12, 2004 2:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and Policies Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |---------+----------------------------------> | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 11/13/2004 08:58 AM | | | ZE11 | | | Please respond to | | | ActiveDir | |---------+----------------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: <[EMAIL PROTECTED]> | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | >------------------------------------------------------------------------------------------------------------------------------| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2&f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2&f=policyreporter.shtml Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
