Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computer Certification > MCSE > Group Policy Guide - conflicting information?

Reply
Thread Tools

Group Policy Guide - conflicting information?

 
 
rileymartin
Guest
Posts: n/a
 
      01-13-2008
Hi,

In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself on
p. 68 and on p. 73.

On p. 68 it says when there is a conflict in policy between user
configuration settings and computer configuration settings, the user
configuration settings take precedence over the computer configuration
settings. However, on p. 73 it says the computer configuration settings win?

Am I missing something? Which one is right? Thanks.

Riley
 
Reply With Quote
 
 
 
 
Michael D. Alligood [CertGuard, Inc.]
Guest
Posts: n/a
 
      01-13-2008
"rileymartin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed):

> Hi,
>
> In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself on
> p. 68 and on p. 73.
>
> On p. 68 it says when there is a conflict in policy between user
> configuration settings and computer configuration settings, the user
> configuration settings take precedence over the computer configuration
> settings. However, on p. 73 it says the computer configuration settings win?
>
> Am I missing something? Which one is right? Thanks.
>
> Riley


Computer over User. Welcome to the Machine.
--
Michael D. Alligood, MCITP, MCTS, MCSA, MCDST
The I.T. Classroom - http://www.theitclassroom.com/
CertGuard, Inc. - http://www.certguard.com/
Microsoft Exam Security Newsgroup -
microsoft.public.certification.exam.security


 
Reply With Quote
 
 
 
 
rileymartin
Guest
Posts: n/a
 
      01-13-2008
Thanks.

"Michael D. Alligood [CertGuard, Inc.]" wrote:

> "rileymartin" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed):
>
> > Hi,
> >
> > In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself on
> > p. 68 and on p. 73.
> >
> > On p. 68 it says when there is a conflict in policy between user
> > configuration settings and computer configuration settings, the user
> > configuration settings take precedence over the computer configuration
> > settings. However, on p. 73 it says the computer configuration settings win?
> >
> > Am I missing something? Which one is right? Thanks.
> >
> > Riley

>
> Computer over User. Welcome to the Machine.
> --
> Michael D. Alligood, MCITP, MCTS, MCSA, MCDST
> The I.T. Classroom - http://www.theitclassroom.com/
> CertGuard, Inc. - http://www.certguard.com/
> Microsoft Exam Security Newsgroup -
> microsoft.public.certification.exam.security
>
>
>

 
Reply With Quote
 
John R
Guest
Posts: n/a
 
      01-13-2008

"Michael D. Alligood [CertGuard, Inc.]" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> "rileymartin" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed):
>
>> Hi,
>>
>> In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself
>> on
>> p. 68 and on p. 73.
>>
>> On p. 68 it says when there is a conflict in policy between user
>> configuration settings and computer configuration settings, the user
>> configuration settings take precedence over the computer configuration
>> settings. However, on p. 73 it says the computer configuration settings
>> win?
>>
>> Am I missing something? Which one is right? Thanks.
>>
>> Riley

>
> Computer over User. Welcome to the Machine.
> --


This is actually a great question. Because as you say, it is in fact
documented differently. For example, on page 10-17 of the MS Press book for
70-294, it says that user settings take precedence.

If you think about how group policies are applied, it might make more sense.
When a computer boots, group policies that apply to the computer object are
applied from the computer configuration settings. Later, when the user logs
in, the user configuration settings are applied. Thus, it would appear to
me that the user settings are more specific. But what about a process that
runs even without a user logged in such as a service? Well, since no user
has in fact logged on, it would appear that computer configuration settings
are the only settings that have been applied.

This is a great opportunity for aspiring certification candidates to do a
little testing. In fact, this is one of the items that I spent a
significant amount of time playing with in my test lab prior to taking the
70-294 test.

John R


 
Reply With Quote
 
Michael D. Alligood [CertGuard, Inc.]
Guest
Posts: n/a
 
      01-13-2008
"John R" <jsr^^^813@zoom^^^internet.net> wrote in message
news:#(E-Mail Removed):

> "Michael D. Alligood [CertGuard, Inc.]" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
> > "rileymartin" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed):
> >
> >> Hi,
> >>
> >> In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself
> >> on
> >> p. 68 and on p. 73.
> >>
> >> On p. 68 it says when there is a conflict in policy between user
> >> configuration settings and computer configuration settings, the user
> >> configuration settings take precedence over the computer configuration
> >> settings. However, on p. 73 it says the computer configuration settings
> >> win?
> >>
> >> Am I missing something? Which one is right? Thanks.
> >>
> >> Riley

> >
> > Computer over User. Welcome to the Machine.
> > --

>
> This is actually a great question. Because as you say, it is in fact
> documented differently. For example, on page 10-17 of the MS Press book for
> 70-294, it says that user settings take precedence.
>
> If you think about how group policies are applied, it might make more sense.
> When a computer boots, group policies that apply to the computer object are
> applied from the computer configuration settings. Later, when the user logs
> in, the user configuration settings are applied. Thus, it would appear to
> me that the user settings are more specific. But what about a process that
> runs even without a user logged in such as a service? Well, since no user
> has in fact logged on, it would appear that computer configuration settings
> are the only settings that have been applied.
>
> This is a great opportunity for aspiring certification candidates to do a
> little testing. In fact, this is one of the items that I spent a
> significant amount of time playing with in my test lab prior to taking the
> 70-294 test.
>
> John R


You just take the fun out of everything.
--
Michael D. Alligood, MCITP, MCTS, MCSA, MCDST
The I.T. Classroom - http://www.theitclassroom.com/
CertGuard, Inc. - http://www.certguard.com/
Microsoft Exam Security Newsgroup -
microsoft.public.certification.exam.security


 
Reply With Quote
 
John R
Guest
Posts: n/a
 
      01-13-2008

"Michael D. Alligood [CertGuard, Inc.]" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
> news:#(E-Mail Removed):
>


> You just take the fun out of everything.


Sorry, Michael, but I really do agree with the OP, and I have seen it
documented both ways as he stated. And I agree with your post as well, I
was not trying to disagree with you.

I forget who was asked if they wear boxers or briefs, and they answered
'depends'. That caused a good laugh because the answer was taken
differently than it was intended. I have found that the same situation
applies to this OPs question. IMHO, you have to look at the setting itself,
what the setting applies to, and then of course take loopback processing
into account. If the setting is to a service, or sometimes even to an
application, if that application or service starts up prior to a user logon,
it will be the computer configuration that will take priority unless it is a
registry setting that the application queries periodically like a SAV or
ForeFront Client Security registry setting, unless loopback processing is
specfied in replace or merge mode, unless, unless, unless. The fact that MS
even designed a loopback feature to allow for the computer configuration
settings to override the user settings would indicate that it is the user
settings that take precedence, but that isn't always necessary.

That is what I found in my testing. I was thoroughly confused on this
subject and actually spent about three weeks just changing two different
gpos, rebooting, running RSoP, etc, until I came to the answer 'depends'. I
don't remember if I was asked any questions on the test about conflicts, but
I do know that I was asked about loopback processing.

Fortunately, our organization uses GPOs sparingly, and almost all GPOs have
only user or computer settings, not both. RSoP is really the best tool to
test with prior to assigning a GPO to a production OU, and I use that
extensively.

John R


 
Reply With Quote
 
John R
Guest
Posts: n/a
 
      01-14-2008

"John R" <jsr^^^813@zoom^^^internet.net> wrote in message
news:(E-Mail Removed)...
>

<snip>

^^^
<Realizes his "inner-geek" is showing again>


 
Reply With Quote
 
kpg*
Guest
Posts: n/a
 
      01-14-2008
> But what about a process that runs even without a user
> logged in such as a service? Well, since no user has in fact logged
> on, it would appear that computer configuration settings are the only
> settings that have been applied.


....but don't services require the specification of a user account
to run under?


 
Reply With Quote
 
John R
Guest
Posts: n/a
 
      01-14-2008

"kpg*" <(E-Mail Removed)> wrote in message
news:Xns9A2564A5D41D1ipostthereforeiam@207.46.248. 16...
>> But what about a process that runs even without a user
>> logged in such as a service? Well, since no user has in fact logged
>> on, it would appear that computer configuration settings are the only
>> settings that have been applied.

>
> ...but don't services require the specification of a user account
> to run under?
>
>


Yes, but most services run as the local system, and those that do have
domain or local user specified as their logon simply authenticate, they do
not process group policy (that I know of) since they are not an interactive
logon.

Of course, now you've given me something else to test

John R


 
Reply With Quote
 
.rev [askthemct.com]
Guest
Posts: n/a
 
      01-14-2008
User Policies win, unless Loopback Proeccessing is enabled with "Replace"
This option overrides the User's policy settings, which is perfect for a
public computer you want to desable administrative access with...

Also its important to remember with the exceptions of Enforce the last GPD
applied wins.

--
..rev

www.askthemct.com
..
"rileymartin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself
> on
> p. 68 and on p. 73.
>
> On p. 68 it says when there is a conflict in policy between user
> configuration settings and computer configuration settings, the user
> configuration settings take precedence over the computer configuration
> settings. However, on p. 73 it says the computer configuration settings
> win?
>
> Am I missing something? Which one is right? Thanks.
>
> Riley


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Policy map using policy map Geoffrey Sinclair Cisco 1 07-27-2009 09:31 AM
Group policy with no group =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?= Wireless Networking 1 03-15-2007 04:21 AM
Default Domain Policy vs Default Domain Controller Policy Tyler Cobb MCSE 6 10-19-2005 09:36 PM
Default Domain Policy vs. Default Domain Controller Policy Tyler Cobb MCSA 1 10-09-2005 03:42 PM
Policy File. Definitive Guide? Michel Gallant Java 2 01-30-2004 01:17 PM



Advertisments