Information Technology Reference
In-Depth Information
Furthermore, users are affected by GPOs within whose scope they fall, and the same goes for
computers.
Normally, the policies that affect user settings follow users to whichever computer they log
on to. However, you might want user policy settings to be based on the GPO within whose scope
the computer object falls. For example, you have an OU named ConfRoomComputers contain-
ing all computer accounts of computers in conference rooms. Perhaps you want standardized
desktop settings, such as wallpaper, screen savers, Start menu, and so forth, so that these com-
puters have a consistent look for visitors. All the settings mentioned are in the User
Configuration node, however, so they can't apply to computer accounts. You don't want all users
in the organization to have these settings when they log on to other computers in the company.
The solution is to enable the “User group policy loopback processing mode” policy in the
Computer Configuration node of a GPO. After this policy is enabled, settings in the User
Configuration node of the GPO apply to all users who log on to the computer. To use loopback
processing in the conference room computers example, you would take the following steps:
1. Create a new GPO (or edit an existing one), and enable the “User group policy loopback
processing mode” policy in the Computer Configuration\Policies\Administrative
Templates\System\Group Policy node.
2. In the User Configuration node of the GPO, edit policies to set the wallpaper, screen saver,
and Start menu options you want.
3. Link the GPO to the ConfRoomComputers OU.
When users log on to a computer in a conference room, they're now subject to the User
Configuration policies you set in the GPO linked to the ConfRoomComputers OU. When users log
on to any other computer, they're subject to whatever policies normally affect their user accounts.
As you learned in Chapter 3, GPOs have a Computer Configuration node, affecting all computer
accounts in a GPO's scope, and a User Configuration node, affecting all user accounts in a GPO's
scope. Most policies in these two nodes affect different aspects of the working environment, but
a few policies are the same. If the same policy is configured in both nodes and the settings con-
flict (for example, one disables a policy and the other enables it), the setting in Computer
Configuration takes precedence.
Both nodes have a Policies folder and a Preferences folder (discussed later in the chapter).
Under the Policies folder are these three folders: Software Settings, Windows Settings, and
Administrative Templates.
Chapter 3 covered the types of policies in these folders briefly, but now you examine them
more closely. The Software Settings and Windows Settings folders include items called extensions
because they extend the functionality of Group Policy beyond what was available in Windows
2000. The Administrative Templates folder contains categorized folders or nodes with settings
that affect users' or computers' working environments, mainly by changing Registry settings.
Policy settings can be managed or unmanaged. A managed policy setting is applied to a user
or computer when the object is in the scope of the GPO containing the setting. When the object
is no longer in the GPO's scope or the policy is set to Not configured, however, the setting on
the user or computer reverts to its original state. You have seen this behavior in earlier activities,
when the Prohibit access to the Control Panel policy affected the user only as long as the user
was in the GPO's scope. An unmanaged policy setting is persistent, meaning it remains even after
the computer or user object falls out of the GPO's scope. The policies that are preloaded in
Active Directory are managed policies, but you can customize Group Policy by adding your own
policies, which are unmanaged.
The Computer Configuration node applies policies to computers regardless of who logs on to
the computer. Most important, this node contains most of the security-related settings in the
Account Policies, User Rights Assignment, Audit Policy, and Security Options nodes. Computer
Search WWH ::
Custom Search