none
Understanding Domain policies - Computer /User Configuration

    Question

  • I have read some post regarding group policy and how they are applied but I am still a little bit confused, so here are some questions:

    1. User Configuration/Computer Configuration: Each of them contains unique policies. Does this mean that all policies under User Configuration will be applied to users and same stands for Computer configuration?

    2. From what I have read to a post in this forum, If I want password policy not to affect some accounts like Domain admin or service accounts, they only way is to check the "Never expire option", is that correct (Domain level is 2003)?

    3. I want to forbid write access to all users in my domain except some domain admin accounts. If question (1) has positive answer, that means that this policy cannot be applied to user accounts. So I have to configure some computers and servers to be able to write to usb devices, right?

    These questions will help me start my domain policy configuration.

    Thanks in advance,
    Argiris

    Tuesday, October 30, 2012 9:10 AM

Answers

  • Hi,

    Regarding your first question, we’d better confirm the difference between Computer Configuration and User configuration. Computer Configuration in Group Policy is applied to computers, regardless of who logs on to the computers. User Configuration in Group Policy is applied to users, regardless of which computer they log on to. If we set the settings collide with each other in Computer Configuration and User Configuration in one GPO, the Computer configuration will override the User Configuration. For details, please refer to the following article.

    http://www.theeldergeek.com/gp06.htm

    Computer Configuration

    http://technet.microsoft.com/en-us/library/cc736413(v=ws.10).aspx

    User Configuration

    http://technet.microsoft.com/en-us/library/cc781953(v=ws.10).aspx

    Regarding the second question, maybe you have misunderstand what does “Password never expires” mean. This setting means that the system will not force you to change your password when the "Maximum password age" is reached. Regardless of whether or not the password expires or not, it can still be locked through multiple attempts to login that fail.  As we know the Account Policies settings in Group Policy are all applied at the domain level and each Windows Server 2003 domain can have only one Account Policies setting. The Account Policies setting must either be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy. If you do not want to apply the password policy to Domain Admin group, maybe we could try to create a new GPO with Password Policy configured and link it to the domain, then we could try to limit the scope of the GPO use Security Filtering.

    Security filtering using GPMC

    http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx

    Regarding the last question, if we want to make USB devices read only via Group Policy. I suggest we could refer to the following article.

    How can I prevent users from writing to USB removable disks (USB flash drives) by using Group Policy (GPO)?

    http://www.petri.co.il/disable_writing_to_usb_disks_in_xp_sp2_with_gpo.htm

    Best Practice: How to use Group Policy to make USB drives read only on Windows XP

    http://www.grouppolicy.biz/2010/02/how-to-use-group-policy-to-make-usb-drives-read-only-on-windows-xp/

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    • Marked as answer by ArgiDio Friday, November 2, 2012 8:39 AM
    Thursday, November 1, 2012 8:33 AM
    Moderator