The key here is that policy is only processed by user and computer objects, but its effect can be filtered by security groups (and WMI queries). So, in this scenario, putting block inheritance on the OU where the user object resides would prevent the user from receiving upstream GPOs, even though the user's group resides elsewhere.
________________________________ From: [EMAIL PROTECTED] on behalf of Passo, Larry Sent: Thu 2/17/2005 8:11 AM To: [email protected] Subject: RE: [ActiveDir] Account policies and groups But group membership can determine which GPOs get applied if you are using GPO filtering. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, February 17, 2005 6:42 AM To: [email protected] Subject: RE: [ActiveDir] Account policies and groups No, group membership does not determine what policies get applied. If they did, they would be called "OU policies", wouldn't they? :) -gil ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Thursday, February 17, 2005 7:27 AM To: [email protected] Subject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesn't have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> W: www.TBandA.com <http://www.TBandA.com> Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map <http://www.multimap.com/map/browse.cgi?client=public&db=pc&cidr_client=none&lang=&pc=LS27JL&advanced=&client=public&addr2=&quicksearch=ls27jl&addr3=&addr1=> ________________________________ Groupshield 6.0 - Troup Bywaters & Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
<<winmail.dat>>
