Need a hand with GPP

Dashrender

I am trying to apply a Group Policy Preference (GPP) to my test OU.

The items in the User section work just fine, but the Computer section is ignored.

The OU in question has a sub OUs for the users themselves and another for the computers. The GPO is applied to the top level.

Domain.com
Sample OU
Sample GPO
Sample OU Users
Sample OU Computers

Thoughts?

IRJ

Why not just make two GPOs and apply the User one to the User OU and the Computer one to the Computer OU? I generally separate them because I use User GPOs for certain things and Computer GPOs for other things.

Dashrender

I'm definitely about to try that - but why should I need to - of course other than.. because it's MS and well their shit almost never works as advertised? LOL

DenisKelley

I thought to apply User policies to Computer and vise versa, you needed to enable loopback policy. I don't mix mine, but I've seen that term mentioned about.

Dashrender

@DenisKelley said:

I thought to apply User policies to Computer and vise versa, you needed to enable loopback policy. I don't mix mine, but I've seen that term mentioned about.

You are a genius!!

http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

You're absolutely right... without loopback mode my setup won't work. Now simply for knowledge sake, why is it applying my user settings instead of my computer settings? Does one have a higher priority than the other?

I haven't read the entire link I posted above yet.. my answer may ly there.

IRJ

@Dashrender said:

I'm definitely about to try that - but why should I need to - of course other than.. because it's MS and well their shit almost never works as advertised? LOL

You shouldn't need to, but I like to do it because it makes organizing and editing policies easier. I have 14 sub OUs under my Computer's OU. I like to split policies up by branch and/or department. I do this because I find that certain departments or branches may need a slight GPO tweak. I hate to apply settings for everyone when only one department or user needs it. I use a unique 4 DIGIT identifier for each department and branch and all my GPO names start with that.

DenisKelley

Cool. I can't help you other than what I posted because I don't nest my OUs like that.

Dashrender

I won't be any more either... I'm educating myself on a better practice since I have a large group of new computers, now's a good time to move that direction.

Nara

@IRJ said:

Why not just make two GPOs and apply the User one to the User OU and the Computer one to the Computer OU? I generally separate them because I use User GPOs for certain things and Computer GPOs for other things.

This is the way to go. Keeping GPO and RSOP processing time to a minimum is key. If you have User GPOs applied to computer objects and vice versa, it requires just a bit more processing for the DC to generate RSOP. Keep it simple; keep it clean.