Announcement

Collapse
No announcement yet.

Enabling/Disabling GPO Nodes

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enabling/Disabling GPO Nodes

    On Server 2008 R2, one can disable Comupter configuration or user configuration settings by going to the details tab of the GPO.

    You can choose Computer Configuration Settings disabled or User Configuration Settings Disabled, if you want, but what is the effect of setting these settings?

    According to Microsoft, following happens:

    Computer Configuration Settings Disabled - During computer policy refresh, computer configuration settings in the GPO will not be applied. The GPO will not be processed during user policy refresh.

    User Configurations Settings Disabled - During user policy refresh, user configuration settings in the GPO will no be applied. The GPO will not be processed during computer policy refresh.

    But does not that just mean the GPO is not applied, no matter which setting you set? If disable computer config settings is set, then the computer related settings will not be apllied. Which is fine, but according to Microsoft the GPO will not be processed during user policy refresh, in other words the user related settings will not be applied either, thus the GPO is not applied at all? The same goes for using the other option? According to MS there is no difference between these two settings, and the All settings disabled setting, the GPO is not applied either way.

    Is the MS documentation wrong, or am I missing something?

  • #2
    Re: Enabling/Disabling GPO Nodes

    Any policy is applied when it relates to the OU or group that an object occupies in AD, either at startup/shutdown in the case of a computer, or at logon/logoff for a user.

    What MS is talking about is how those policies are applied. If you create a policy that includes computer settings, but the policy is applied to users, the computer settings are ignored. The same is true the other way around: with a policy including user settings, but applied to computer objects, the user settings are ignored. The idea of disabling the computer or user nodes in a GP is one way of preventing yourself from confusing the 2 (as far as my simpler outlook can see; if anyone knows better, pls chip in!)

    A note: the term 'Group Policy' is a bit of a misleading name, since a GP is NOT applied directly to a group--it's applied to a collection of objects grouped together in an Organizational Unit (OU) in Active Directory. You can use Group membership to apply what's called 'security filtering' in how/when a policy is applied, but you don't apply the policy to a Group directly.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Enabling/Disabling GPO Nodes

      Thanks for the reply. I'm still confused though. Aren't settings in user configuration node ignored regardless of which setting you set on the details tab of a GPO, during computer policy refresh, and vice versa by default?

      I mean if you link a GPO to an OU with computers, and don't make any configuration changes on the details tab (the GPO status is enabled). Then at computer startup, computer policy refresh occurs, where settings from the computer configuration node are applied. But are settings from the user configuration node also applied during computer policy refresh? (I thought that just occured during user policy refresh.)

      Isn't that what loopback policy processing is for? Or is that the default behaviour?

      Comment


      • #4
        Re: Enabling/Disabling GPO Nodes

        Computer settings only work on computers, user settings only work on users. That's what it all comes down to, and what the Microsoft article was originally saying.

        Loopback allows you to enforce one over the other by re-applying something after the normal GP hierarchical processing has finished. But the settings are still only applied as described before. So if you try to enforce user settings during a computer policy enforcement, no user settings are applied.

        If it's under the user settings section in the GP Edit screen, that's the object it applies to. It's as simple as that.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment

        Working...
        X