+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 37
  1. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #1

    Default GPO Processing order

    The way that GPOs are processed are Local, Site, Domain, and OU. Lets say that at the site level I have an option set and at the OU level I have an option set. Since the options don't conflict each other are both applied, or does the OU GPO totally wipe out the domain OU?
    Reply With Quote Quote  

  2. SS -->
  3. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #2
    Both are applied due to Group Policy's cumulative nature. The higher precedented Group Policy applies. So for instance:

    Site Level GPO.
    Setting #1 - Allow Option A
    Setting #2 - Deny Option B

    OU Level GPO
    Setting #1 - Not Defined
    Setting #2 - Allow Option B

    Net Result for object in OU
    Setting #1 - Allow Option A
    Setting #2 - Allow Option B

    The Not Defined setting basically means, allow lower precedented group policy settings to flow through. There are caveats, however. For example, Block Inheritance and No Override.
    Reply With Quote Quote  

  4. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #3
    Thats' what I thought, but what about this. Correct me if I'm wrong, but lets say a PC is in an OU and a user is in a different OU. There is a GPO linked to the PC OU that has user settings defined. The GPO linked to the user OU has its own settings defined. Unless loopback processing is enabled, the user settings will have precedence over the computer settings when that user logs on? Then back to the first question, where if the settings on both OU's don't conflict, they will be both applied?
    Reply With Quote Quote  

  5. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #4
    Quote Originally Posted by cashew
    Thats' what I thought, but what about this. Correct me if I'm wrong, but lets say a PC is in an OU and a user is in a different OU. There is a GPO linked to the PC OU that has user settings defined.
    User settings in a GPO that are applied to an OU that only has computers will not be processed anyway - unless loopback processing is in use. If the user himself is in that OU, then yes. Otherwise the user settings will be ignored, since the object is a computer. Example:

    User1 is in the OU called Sales.
    His laptop is named mobile1, and is an OU called Laptops.

    The OU Sales contains only user objects.
    The OU Laptops contains only computer objects.

    No matter what "computer" settings you define in the Sales OU GPO, they will have no effect since there are no computer objects to apply them to.

    No matter what "user" settings you define in the Laptops OU GPO, they will have no effect since there are no user objects to apply them to - unless using Loopback processing.


    Quote Originally Posted by cashew
    Then back to the first question, where if the settings on both OU's don't conflict, they will be both applied?
    Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last.
    Reply With Quote Quote  

  6. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #5
    What if loopback processing is enabled for an OU that has only computers in it. On that computers OU there are user settings defined. When a user logs on to the computer, the user settings from the computers OU are applied to the user, and the action is dependant on merge or replace mode? Merging af the settings don't conflict and replacing if they do?
    Reply With Quote Quote  

  7. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #6
    Quote Originally Posted by cashew
    What if loopback processing is enabled for an OU that has only computers in it. On that computers OU there are user settings defined. When a user logs on to the computer, the user settings from the computers OU are applied to the user, and the action is dependant on merge or replace mode? Merging af the settings don't conflict and replacing if they do?
    That is correct.

    "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

    -- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
    Reply With Quote Quote  

  8. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #7
    Almost finished with the MSPress, but ran across another question. Lets say that a user is in an OU. Lets say he's a member of a group that is in a different OU. When that user logs on, is the GPO for him and the GPO for the group run? If not, what if the group is in the same OU as the user?
    Reply With Quote Quote  

  9. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #8
    Group Policies don't apply to groups. They ONLY apply to users and computers; hence the user configuration and computer configuration sections in a GPO. You can filter by groups, but that is only if the user object or computer object is in that OU. If they are not, then filtering cannot happen. If the user object is in an OU, it then checks the filter to see if it should apply to a specific user/group.
    Reply With Quote Quote  

  10. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #9
    Exactly what Royal said.
    You can try it yourself in a home lab by creating an OU and place only groups in it. Then create a GPO linked to that OU that runs a logon script, turns on a screensaver and a few other obvious changes. Then, log on as a user that is a member of that group and watch as abosolutely nothing happens.
    Reply With Quote Quote  

  11. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #10
    Quote Originally Posted by sprkymrk

    Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last.
    I created an OU and added a user account and computer account. I set the computer policy to disallow messenger to enable and set the user to disallow messenger to disable. When I refreshed I was unable to run messenger? I thought that the user settings would override since loopback wasn't enabled?
    Reply With Quote Quote  

  12. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #11
    Quote Originally Posted by cashew
    Quote Originally Posted by sprkymrk

    Unless Loopback processing is enabled, if there are conflicting settings applied to the computer vs. user (such as offline files for instance which can be applied either to the computer or user), then the user settings will take precedence since they are applied last.
    I created an OU and added a user account and computer account. I set the computer policy to disallow messenger to enable and set the user to disallow messenger to disable. When I refreshed I was unable to run messenger? I thought that the user settings would override since loopback wasn't enabled?
    There is a "note" on the explanation of that computer policy that states:

    Note: This setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configuration version of this setting takes precedence.
    Now I'm not sure if that's a special case or if my original information was incorrect. I'll check it out.
    Reply With Quote Quote  

  13. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #12
    I always thought that user configuration wins unless it either states that the computer setting will take precedence or in cases such as loopback. After seeing the following comment, I'm not so sure about that:

    From: http://www.microsoft.com/technet/pro....mspx?mfr=true

    In most cases policy settings specified in the Computer Configuration node have precedence over the same setting if one exists in the User Configuration node.
    Reply With Quote Quote  

  14. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #13
    Quote Originally Posted by royal
    I always thought that user configuration wins unless it either states that the computer setting will take precedence or in cases such as loopback. After seeing the following comment, I'm not so sure about that:

    From: http://www.microsoft.com/technet/pro....mspx?mfr=true

    In most cases policy settings specified in the Computer Configuration node have precedence over the same setting if one exists in the User Configuration node.
    Good find royal. I suppose that despite the user policy being applied last, computer settings seem to have precedence. Weird.
    Reply With Quote Quote  

  15. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #14
    Well at least I know the actual function so when it comes to applying this on the job, I know what to do. However, right now I want to make sure that 294 knows the real truth. So after doing some more research, if you look at any other GPO setting that involves computer and user settings (windows movie maker for example) with the same option, each one has note saying that it both are configured that computer configuration takes precedence. If you have the MSPress for 294, goto page 10-16 and look at the note at the bottom of the page. It reads:

    "If there is a conflict between the computer configuration settings and the user configuration settings, the user configuration settings are applied becasue the user settings are more specific."

    Microsoft needs to make up its mind. This isn't the first occurrence I've run across in my MCSE studies. I remember 3 or 4 off the top of my head when I was studying 284 and how MS contradicts it self on numerous occasions.
    Reply With Quote Quote  

  16. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #15
    That's what makes it so much fun!
    Reply With Quote Quote  

  17. Senior Member cashew's Avatar
    Join Date
    Feb 2007
    Location
    Atlanta
    Posts
    123

    Certifications
    CISSP, MCSE: 2003, Security+
    #16
    Well, just finished MSPress and CBT Nuggets so I'm going to order the transcenders. Interested to see how the questions handle this topic. I will post if I run across some more drama on this issue.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #17
    What is the difference between block inheritence and no override by the way? They sound like they do very similar things.
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #18
    Also, do GPOs work in alphabetical order? If not, how do they determine which applies first?
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #19
    Quote Originally Posted by mr2nut
    What is the difference between block inheritence and no override by the way? They sound like they do very similar things.
    They do opposite things. You can think of "no override" as "force inheritance." Suppose you delegate control over an OU to someone, but you do not want them to override a setting you set at the domain level.

    Quote Originally Posted by mr2nut
    Also, do GPOs work in alphabetical order? If not, how do they determine which applies first?
    They are applied in this order: Local > Domain > Site > OU

    If one has multiple GPOs, you can move them up or down in the list to set the order in which they are applied.
    Reply With Quote Quote  

  21. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #20
    Quote Originally Posted by dynamik
    If one has multiple GPOs, you can move them up or down in the list to set the order in which they are applied.
    And the one at top of the list wins.

    This is important if you're doing something like WMI filtering with 2000 machines. Since 2000 machines don't apply WMI filtering, you can trick it by placing the Windows 2000 GPO on top and the XP GPO 2nd in the list. You then apply a GPO filter so that the top GPO only applies to Windows 2000. Since XP will see this WMI filter, it'll skip the top one and apply the second one. Since 2000 can't see the WMI filter, it'll automatically just apply the first one.

    So the processing in the actual list is important.
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #21
    Quote Originally Posted by dynamik
    Quote Originally Posted by mr2nut
    What is the difference between block inheritence and no override by the way? They sound like they do very similar things.
    They do opposite things. You can think of "no override" as "force inheritance." Suppose you delegate control over an OU to someone, but you do not want them to override a setting you set at the domain level.

    Quote Originally Posted by mr2nut
    Also, do GPOs work in alphabetical order? If not, how do they determine which applies first?
    They are applied in this order: Local > Domain > Site > OU

    If one has multiple GPOs, you can move them up or down in the list to set the order in which they are applied.
    Cheers. I understand the order in the respect of local>domain>site>ou. But lets say you have three OUs for clients, fileservers and servers. Clients appears in the list before fileserver, so does the servers OU inherit the default domain policy, then settings from clients, then fileservers, or do OUs completely ignore other policies and only GPOs applied directly into the OU?
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #22
    Quote Originally Posted by mr2nut
    Cheers. I understand the order in the respect of local>domain>site>ou. But lets say you have three OUs for clients, fileservers and servers. Clients appears in the list before fileserver, so does the servers OU inherit the default domain policy, then settings from clients, then fileservers, or do OUs completely ignore other policies and only GPOs applied directly into the OU?
    The LDSOU order is how settings are applied and inherited. You can modify inheritance with the options we discussed earlier. A setting that is defined in multiple place is overwritten by the one applied later, otherwise its simply inherited from where it was applied.

    I don't understand your OU example. Unless they're nested, the GPOs linked to them aren't going to affect any of the others.
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #23
    I get it now. I was under the impression that say for example you have the following...



    default domain policy
    -Client OU
    -Server OU


    I was under the impression that Client OU would inherit just the default domain policy. Then the Server OU would inherit the default domain policy, AND any settings in the Client OU as it was above the Server OU, but i've now figured out that they will only both just inherit the default domain policy and any other settings applied using only the GPO attached to its OU.
    Reply With Quote Quote  

  25. One Man Wolfpac NetAdmin2436's Avatar
    Join Date
    Mar 2008
    Location
    Minnesota
    Posts
    1,077

    Certifications
    AAS in Computer Networking, MCSE 2003, Network+, Security+, A+
    #24
    Local > Domain > Site > OU
    The LDSOU order was mentioned a few times in the thread (and if I'm not mistaken here) it should actually be LSDOU and hence applied in this order:
    Local > Site > Domain > OU

    Group Policy processing and precedence: Group Policy
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #25
    +1

    Don't listen to that other guy
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks