none
AGMP - to disable User Configuration

    Question

  • Hi,

    We are using AGPM. and I need to disable the user configuration for a production computer GPO.

    At the moment, both are set to Enabled: computer configuration (Enabled) and User Configuration (Enabled). However there is no setting in the User Configuration section.

    Query - as this computer GPO is a Production GPO (linked to OU and applied to computers). By changing the User Configuration to DISABLE - Can we change this after a GPO has gone 'live' (in PRD). and will it or what impact would it bring to current computers that already received the GPO?

    Thank you

     


    Best Regards,

    Tuesday, June 21, 2016 2:37 AM

Answers

  • > Yes, the aim to disable the user configuration part of GPO is with the
    > intention to "speed" up security.
     
    If your GPO in question is linked only to computers, disabling the user
    part will have no effect - computers do not care about the user part,
    they do not look for settings, they do not evaluate if it is enabled or
    disabled, they completely ignore it :)
     
    • Marked as answer by BlueBerries Friday, June 24, 2016 3:23 AM
    Thursday, June 23, 2016 9:50 AM

All replies

  • Hi,
     
    Am 21.06.2016 um 04:37 schrieb BlueBerries:
    > [...] I need to disable the user configuration for a production
    > computer GPO.[...] what impact would it bring to current computers
    > that already received the GPO?
     
    None, because Computer do NEVER apply user settings and vice versa.
    Wrong target.
     
    Simply said you can not import HKCU into HKLM.
    (ok, you can manually, but usually it is senseless ;-)
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Tuesday, June 21, 2016 6:06 AM
  • Hi,

    I agree with Mark Heitbrink. User settings of a GPO will only affect user accounts that reside in the OU(s) that are in the scope of where that GPO is linked. Computer settings will only affect computer accounts that reside in the OU(s) that are in the scope of where that GPO is linked.

    The only thing is by disabling part of a policy that isn’t used, the application of GPOs and security will be faster.

    Disabling an Unused Part of Group Policy Objects

    https://technet.microsoft.com/en-us/magazine/dd673616.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 21, 2016 7:27 AM
    Moderator
  • Yes, the aim to disable the user configuration part of GPO is with the intention to "speed" up security.

    Thanks for the info.. 


    Best Regards,

    Thursday, June 23, 2016 12:47 AM
  • Hi,

    I am glad to hear that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 23, 2016 2:03 AM
    Moderator
  • > Yes, the aim to disable the user configuration part of GPO is with the
    > intention to "speed" up security.
     
    If your GPO in question is linked only to computers, disabling the user
    part will have no effect - computers do not care about the user part,
    they do not look for settings, they do not evaluate if it is enabled or
    disabled, they completely ignore it :)
     
    • Marked as answer by BlueBerries Friday, June 24, 2016 3:23 AM
    Thursday, June 23, 2016 9:50 AM