none
computers and users on seperate GPO

    Question

  • hi,

    i've curently deployed roaming user areas on my network, and what i'm looking to do is to put the computer seting in a different GPO to the user settings ?

    is this doable ?

    at the moment i have 8 GPOs that control the users and to give them roaming user areas i have modify all of the GPO,

    is there a way so that the curent 8 GPO only control the users and a 9th that would control all the cmputers ?

    that way if i want to modify the computers i only have to modify 1 GPO and not 8

    Sunday, July 17, 2016 3:35 PM

Answers

All replies

  • generically, yes, but it depends how you have organised your OUs of Users/Computers, and GPO-links..

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, July 17, 2016 9:26 PM
  • this is how OUs and GPO-links are set up at the moment

    123

    1233

    Sunday, July 17, 2016 10:05 PM
  • Hi,

    If we configure the settings under User Configuration, these settings apply to user accounts, regardless of which computer they log onto.

    If we configure the settings under Computer Configuration, these settings apply to computer accounts, regardless of which user logs onto the computer.

    However, when there is conflicting settings existing in the same GPO, as suggested by Martin in the following thread:
    “If conflicting settings exist, it depends on the individual setting and windows component which setting will win. Most times, it will be the computer setting. Loopback does NOT change this behavior.”

    computer configuration conflict with user configuration

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/423c12e8-8303-48d0-b8ac-5a8d46e71137/computer-configuration-conflict-with-user-configuration?forum=winserverGP

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 18, 2016 8:04 AM
    Moderator
  • so it looks like you aren't leveraging the power of inheritance...

    if your OUs were parent/children, instead of all being peers, you could link a GPO at the parent OU and it will inherit (cascade/flow) downwards to the child OUs.

    eg

    \mdl.local

    \mdl.local\HQ

    \mdl.local\HQ\Dept1

    \mdl.local\HQ\Dept1\computers

    \mdl.local\HQ\Dept1\users

    \mdl.local\Branch1\

    \mdl.local\Branch1\Dept2

    \mdl.local\Branch1\Dept2\computers

    \mdl.local\Branch1\Dept2\users

    So, you could link a GPO to \mdl.local\HQ\Dept1, and that GPO will apply to all users & computers for Dept1 (children of Dept1)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, July 18, 2016 8:16 AM
  • i shall look into inheritance 

    so if i've understood correctly 

    in the user GPO
    i only configure the user settings and leave all computer settings as undefind 

    in the computer GPO
    i only configure the computer settings and leave all the user settings undefind

    there should be no problem ?

    for info:
    the only settings that i'm applying to the computers are the roaming user areas and firefox and chrome settings

    Monday, July 18, 2016 10:07 AM
  • in the user GPO
    i only configure the user settings and leave all computer settings as undefind 

    in the computer GPO
    i only configure the computer settings and leave all the user settings undefind

    there should be no problem ?

    Yes, it's fine to do that. You can also set the un-used component to disabled (i.e. for a User GPO, set the Computer component to disabled, etc)

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, July 18, 2016 8:56 PM
  • just to confirm:

    the computer GPO only need to be linked to the computers or should i also link it to the users ?

    the user GPOs only need to be linked to the users or should i also link them to the computers ?

    Tuesday, July 19, 2016 11:37 AM
  • > the computer GPO only need to be linked to the computers or should i
    > also link it to the users ?
     
    Computers only.
     
    > the user GPOs only need to be linked to the users or should i also link
    > them to the computers ?
     
    Users only.
     
    Simple design, easier to understand :)
     
    Tuesday, July 19, 2016 1:26 PM