| Home | Forums | Reviews | Guides | Newsgroups | Register | Search |
 |
| Thread Tools |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
"John R" <jsr^^^813@zoom^^^internet.net> wrote in message
news:#: > "Michael D. Alligood [CertGuard, Inc.]" <> wrote in > message news:... > > "rileymartin" <> wrote in message > > news:0F943BFA-65E7-44E6-ADFA-: > > > >> Hi, > >> > >> In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself > >> on > >> p. 68 and on p. 73. > >> > >> On p. 68 it says when there is a conflict in policy between user > >> configuration settings and computer configuration settings, the user > >> configuration settings take precedence over the computer configuration > >> settings. However, on p. 73 it says the computer configuration settings > >> win? > >> > >> Am I missing something? Which one is right? Thanks. > >> > >> Riley > > > > Computer over User. Welcome to the Machine. > > -- > > This is actually a great question. Because as you say, it is in fact > documented differently. For example, on page 10-17 of the MS Press book for > 70-294, it says that user settings take precedence. > > If you think about how group policies are applied, it might make more sense. > When a computer boots, group policies that apply to the computer object are > applied from the computer configuration settings. Later, when the user logs > in, the user configuration settings are applied. Thus, it would appear to > me that the user settings are more specific. But what about a process that > runs even without a user logged in such as a service? Well, since no user > has in fact logged on, it would appear that computer configuration settings > are the only settings that have been applied. > > This is a great opportunity for aspiring certification candidates to do a > little testing. In fact, this is one of the items that I spent a > significant amount of time playing with in my test lab prior to taking the > 70-294 test. > > John R You just take the fun out of everything.  -- Michael D. Alligood, MCITP, MCTS, MCSA, MCDST The I.T. Classroom - http://www.theitclassroom.com/ CertGuard, Inc. - http://www.certguard.com/ Microsoft Exam Security Newsgroup - microsoft.public.certification.exam.security |
|
|
|
|
|||
|
Guest
Posts: n/a
|
"Michael D. Alligood [CertGuard, Inc.]" <> wrote in message news:... > "John R" <jsr^^^813@zoom^^^internet.net> wrote in message > news:#: > > You just take the fun out of everything. Sorry, Michael, but I really do agree with the OP, and I have seen it documented both ways as he stated. And I agree with your post as well, I was not trying to disagree with you. I forget who was asked if they wear boxers or briefs, and they answered 'depends'. That caused a good laugh because the answer was taken differently than it was intended. I have found that the same situation applies to this OPs question. IMHO, you have to look at the setting itself, what the setting applies to, and then of course take loopback processing into account. If the setting is to a service, or sometimes even to an application, if that application or service starts up prior to a user logon, it will be the computer configuration that will take priority unless it is a registry setting that the application queries periodically like a SAV or ForeFront Client Security registry setting, unless loopback processing is specfied in replace or merge mode, unless, unless, unless. The fact that MS even designed a loopback feature to allow for the computer configuration settings to override the user settings would indicate that it is the user settings that take precedence, but that isn't always necessary. That is what I found in my testing. I was thoroughly confused on this subject and actually spent about three weeks just changing two different gpos, rebooting, running RSoP, etc, until I came to the answer 'depends'. I don't remember if I was asked any questions on the test about conflicts, but I do know that I was asked about loopback processing. Fortunately, our organization uses GPOs sparingly, and almost all GPOs have only user or computer settings, not both. RSoP is really the best tool to test with prior to assigning a GPO to a production OU, and I use that extensively. John R |
|
|
|
|
|||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
"kpg*" <> wrote in message news:Xns9A2564A5D41D1ipostthereforeiam@207.46.248. 16... >> But what about a process that runs even without a user >> logged in such as a service? Well, since no user has in fact logged >> on, it would appear that computer configuration settings are the only >> settings that have been applied. > > ...but don't services require the specification of a user account > to run under? > > Yes, but most services run as the local system, and those that do have domain or local user specified as their logon simply authenticate, they do not process group policy (that I know of) since they are not an interactive logon. Of course, now you've given me something else to test John R |
|
|
|
|
|||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
|
| |
|
| Thread Tools | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Policy map using policy map | Geoffrey Sinclair | Cisco | 1 | 07-27-2009 09:31 AM |
| Group policy with no group | =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?= | Wireless Networking | 1 | 03-15-2007 04:21 AM |
| Default Domain Policy vs Default Domain Controller Policy | Tyler Cobb | MCSE | 6 | 10-19-2005 09:36 PM |
| Default Domain Policy vs. Default Domain Controller Policy | Tyler Cobb | MCSA | 1 | 10-09-2005 03:42 PM |
| Policy File. Definitive Guide? | Michel Gallant | Java | 2 | 01-30-2004 01:17 PM |
