Group Policy Guide - conflicting information?

Discussion in 'MCSE' started by rileymartin, Jan 13, 2008.

  1. rileymartin

    rileymartin Guest

    Hi,

    In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself on
    p. 68 and on p. 73.

    On p. 68 it says when there is a conflict in policy between user
    configuration settings and computer configuration settings, the user
    configuration settings take precedence over the computer configuration
    settings. However, on p. 73 it says the computer configuration settings win?

    Am I missing something? Which one is right? Thanks.

    Riley
     
    rileymartin, Jan 13, 2008
    #1
    1. Advertising

  2. "rileymartin" <> wrote in message
    news::

    > Hi,
    >
    > In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself on
    > p. 68 and on p. 73.
    >
    > On p. 68 it says when there is a conflict in policy between user
    > configuration settings and computer configuration settings, the user
    > configuration settings take precedence over the computer configuration
    > settings. However, on p. 73 it says the computer configuration settings win?
    >
    > Am I missing something? Which one is right? Thanks.
    >
    > Riley


    Computer over User. Welcome to the Machine.
    --
    Michael D. Alligood, MCITP, MCTS, MCSA, MCDST
    The I.T. Classroom - http://www.theitclassroom.com/
    CertGuard, Inc. - http://www.certguard.com/
    Microsoft Exam Security Newsgroup -
    microsoft.public.certification.exam.security
     
    Michael D. Alligood [CertGuard, Inc.], Jan 13, 2008
    #2
    1. Advertising

  3. rileymartin

    rileymartin Guest

    Thanks.

    "Michael D. Alligood [CertGuard, Inc.]" wrote:

    > "rileymartin" <> wrote in message
    > news::
    >
    > > Hi,
    > >
    > > In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself on
    > > p. 68 and on p. 73.
    > >
    > > On p. 68 it says when there is a conflict in policy between user
    > > configuration settings and computer configuration settings, the user
    > > configuration settings take precedence over the computer configuration
    > > settings. However, on p. 73 it says the computer configuration settings win?
    > >
    > > Am I missing something? Which one is right? Thanks.
    > >
    > > Riley

    >
    > Computer over User. Welcome to the Machine.
    > --
    > Michael D. Alligood, MCITP, MCTS, MCSA, MCDST
    > The I.T. Classroom - http://www.theitclassroom.com/
    > CertGuard, Inc. - http://www.certguard.com/
    > Microsoft Exam Security Newsgroup -
    > microsoft.public.certification.exam.security
    >
    >
    >
     
    rileymartin, Jan 13, 2008
    #3
  4. rileymartin

    John R Guest

    "Michael D. Alligood [CertGuard, Inc.]" <> wrote in
    message news:...
    > "rileymartin" <> wrote in message
    > news::
    >
    >> Hi,
    >>
    >> In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself
    >> on
    >> p. 68 and on p. 73.
    >>
    >> On p. 68 it says when there is a conflict in policy between user
    >> configuration settings and computer configuration settings, the user
    >> configuration settings take precedence over the computer configuration
    >> settings. However, on p. 73 it says the computer configuration settings
    >> win?
    >>
    >> Am I missing something? Which one is right? Thanks.
    >>
    >> Riley

    >
    > Computer over User. Welcome to the Machine.
    > --


    This is actually a great question. Because as you say, it is in fact
    documented differently. For example, on page 10-17 of the MS Press book for
    70-294, it says that user settings take precedence.

    If you think about how group policies are applied, it might make more sense.
    When a computer boots, group policies that apply to the computer object are
    applied from the computer configuration settings. Later, when the user logs
    in, the user configuration settings are applied. Thus, it would appear to
    me that the user settings are more specific. But what about a process that
    runs even without a user logged in such as a service? Well, since no user
    has in fact logged on, it would appear that computer configuration settings
    are the only settings that have been applied.

    This is a great opportunity for aspiring certification candidates to do a
    little testing. In fact, this is one of the items that I spent a
    significant amount of time playing with in my test lab prior to taking the
    70-294 test.

    John R
     
    John R, Jan 13, 2008
    #4
  5. "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:#:

    > "Michael D. Alligood [CertGuard, Inc.]" <> wrote in
    > message news:...
    > > "rileymartin" <> wrote in message
    > > news::
    > >
    > >> Hi,
    > >>
    > >> In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself
    > >> on
    > >> p. 68 and on p. 73.
    > >>
    > >> On p. 68 it says when there is a conflict in policy between user
    > >> configuration settings and computer configuration settings, the user
    > >> configuration settings take precedence over the computer configuration
    > >> settings. However, on p. 73 it says the computer configuration settings
    > >> win?
    > >>
    > >> Am I missing something? Which one is right? Thanks.
    > >>
    > >> Riley

    > >
    > > Computer over User. Welcome to the Machine.
    > > --

    >
    > This is actually a great question. Because as you say, it is in fact
    > documented differently. For example, on page 10-17 of the MS Press book for
    > 70-294, it says that user settings take precedence.
    >
    > If you think about how group policies are applied, it might make more sense.
    > When a computer boots, group policies that apply to the computer object are
    > applied from the computer configuration settings. Later, when the user logs
    > in, the user configuration settings are applied. Thus, it would appear to
    > me that the user settings are more specific. But what about a process that
    > runs even without a user logged in such as a service? Well, since no user
    > has in fact logged on, it would appear that computer configuration settings
    > are the only settings that have been applied.
    >
    > This is a great opportunity for aspiring certification candidates to do a
    > little testing. In fact, this is one of the items that I spent a
    > significant amount of time playing with in my test lab prior to taking the
    > 70-294 test.
    >
    > John R


    You just take the fun out of everything. ;)
    --
    Michael D. Alligood, MCITP, MCTS, MCSA, MCDST
    The I.T. Classroom - http://www.theitclassroom.com/
    CertGuard, Inc. - http://www.certguard.com/
    Microsoft Exam Security Newsgroup -
    microsoft.public.certification.exam.security
     
    Michael D. Alligood [CertGuard, Inc.], Jan 13, 2008
    #5
  6. rileymartin

    John R Guest

    "Michael D. Alligood [CertGuard, Inc.]" <> wrote in
    message news:...
    > "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    > news:#:
    >


    > You just take the fun out of everything. ;)


    Sorry, Michael, but I really do agree with the OP, and I have seen it
    documented both ways as he stated. And I agree with your post as well, I
    was not trying to disagree with you.

    I forget who was asked if they wear boxers or briefs, and they answered
    'depends'. That caused a good laugh because the answer was taken
    differently than it was intended. I have found that the same situation
    applies to this OPs question. IMHO, you have to look at the setting itself,
    what the setting applies to, and then of course take loopback processing
    into account. If the setting is to a service, or sometimes even to an
    application, if that application or service starts up prior to a user logon,
    it will be the computer configuration that will take priority unless it is a
    registry setting that the application queries periodically like a SAV or
    ForeFront Client Security registry setting, unless loopback processing is
    specfied in replace or merge mode, unless, unless, unless. The fact that MS
    even designed a loopback feature to allow for the computer configuration
    settings to override the user settings would indicate that it is the user
    settings that take precedence, but that isn't always necessary.

    That is what I found in my testing. I was thoroughly confused on this
    subject and actually spent about three weeks just changing two different
    gpos, rebooting, running RSoP, etc, until I came to the answer 'depends'. I
    don't remember if I was asked any questions on the test about conflicts, but
    I do know that I was asked about loopback processing.

    Fortunately, our organization uses GPOs sparingly, and almost all GPOs have
    only user or computer settings, not both. RSoP is really the best tool to
    test with prior to assigning a GPO to a production OU, and I use that
    extensively.

    John R
     
    John R, Jan 13, 2008
    #6
  7. rileymartin

    John R Guest

    "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:...
    >

    <snip>

    ^^^
    <Realizes his "inner-geek" is showing again>
     
    John R, Jan 14, 2008
    #7
  8. rileymartin

    kpg* Guest

    > But what about a process that runs even without a user
    > logged in such as a service? Well, since no user has in fact logged
    > on, it would appear that computer configuration settings are the only
    > settings that have been applied.


    ....but don't services require the specification of a user account
    to run under?
     
    kpg*, Jan 14, 2008
    #8
  9. rileymartin

    John R Guest

    "kpg*" <> wrote in message
    news:Xns9A2564A5D41D1ipostthereforeiam@207.46.248.16...
    >> But what about a process that runs even without a user
    >> logged in such as a service? Well, since no user has in fact logged
    >> on, it would appear that computer configuration settings are the only
    >> settings that have been applied.

    >
    > ...but don't services require the specification of a user account
    > to run under?
    >
    >


    Yes, but most services run as the local system, and those that do have
    domain or local user specified as their logon simply authenticate, they do
    not process group policy (that I know of) since they are not an interactive
    logon.

    Of course, now you've given me something else to test ;)

    John R
     
    John R, Jan 14, 2008
    #9
  10. User Policies win, unless Loopback Proeccessing is enabled with "Replace"
    This option overrides the User's policy settings, which is perfect for a
    public computer you want to desable administrative access with...

    Also its important to remember with the exceptions of Enforce the last GPD
    applied wins.

    --
    ..rev

    www.askthemct.com
    ..
    "rileymartin" <> wrote in message
    news:...
    > Hi,
    >
    > In the MS Win2k3 Resource Kit the Group Policy Guide conflicts itself
    > on
    > p. 68 and on p. 73.
    >
    > On p. 68 it says when there is a conflict in policy between user
    > configuration settings and computer configuration settings, the user
    > configuration settings take precedence over the computer configuration
    > settings. However, on p. 73 it says the computer configuration settings
    > win?
    >
    > Am I missing something? Which one is right? Thanks.
    >
    > Riley
     
    .rev [askthemct.com], Jan 14, 2008
    #10
  11. Correct...They do not.

    --
    ..rev

    www.askthemct.com
    ..
    "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:%...
    >
    > "kpg*" <> wrote in message
    > news:Xns9A2564A5D41D1ipostthereforeiam@207.46.248.16...
    >>> But what about a process that runs even without a user
    >>> logged in such as a service? Well, since no user has in fact logged
    >>> on, it would appear that computer configuration settings are the only
    >>> settings that have been applied.

    >>
    >> ...but don't services require the specification of a user account
    >> to run under?
    >>
    >>

    >
    > Yes, but most services run as the local system, and those that do have
    > domain or local user specified as their logon simply authenticate, they do
    > not process group policy (that I know of) since they are not an
    > interactive logon.
    >
    > Of course, now you've given me something else to test ;)
    >
    > John R
    >
     
    .rev [askthemct.com], Jan 14, 2008
    #11
  12. rileymartin

    catwalker63 Guest

    "John R" <jsr^^^813@zoom^^^internet.net> prattled ceaselessly in
    news::

    >
    > "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    > news:...
    >>

    > <snip>
    >
    > ^^^
    > <Realizes his "inner-geek" is showing again>
    >
    >
    >


    :D

    --
    Catwalker
    MCNGP #43
    www.mcngp.com
    "Definitely not wearing any underwear."
     
    catwalker63, Jan 14, 2008
    #12
  13. FYI - Its good your GPO's don't do both. No GPO should configure user and
    computer settings. It should always be one or the other.

    --
    ..rev

    www.askthemct.com
    ..
    "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    news:...
    >
    > "Michael D. Alligood [CertGuard, Inc.]" <> wrote
    > in message news:...
    >> "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    >> news:#:
    >>

    >
    >> You just take the fun out of everything. ;)

    >
    > Sorry, Michael, but I really do agree with the OP, and I have seen it
    > documented both ways as he stated. And I agree with your post as well, I
    > was not trying to disagree with you.
    >
    > I forget who was asked if they wear boxers or briefs, and they answered
    > 'depends'. That caused a good laugh because the answer was taken
    > differently than it was intended. I have found that the same situation
    > applies to this OPs question. IMHO, you have to look at the setting
    > itself, what the setting applies to, and then of course take loopback
    > processing into account. If the setting is to a service, or sometimes
    > even to an application, if that application or service starts up prior to
    > a user logon, it will be the computer configuration that will take
    > priority unless it is a registry setting that the application queries
    > periodically like a SAV or ForeFront Client Security registry setting,
    > unless loopback processing is specfied in replace or merge mode, unless,
    > unless, unless. The fact that MS even designed a loopback feature to allow
    > for the computer configuration settings to override the user settings
    > would indicate that it is the user settings that take precedence, but that
    > isn't always necessary.
    >
    > That is what I found in my testing. I was thoroughly confused on this
    > subject and actually spent about three weeks just changing two different
    > gpos, rebooting, running RSoP, etc, until I came to the answer 'depends'.
    > I don't remember if I was asked any questions on the test about conflicts,
    > but I do know that I was asked about loopback processing.
    >
    > Fortunately, our organization uses GPOs sparingly, and almost all GPOs
    > have only user or computer settings, not both. RSoP is really the best
    > tool to test with prior to assigning a GPO to a production OU, and I use
    > that extensively.
    >
    > John R
    >
     
    .rev [askthemct.com], Jan 14, 2008
    #13
  14. ".rev [askthemct.com]" <> wrote in message
    news:u$:

    > FYI - Its good your GPO's don't do both. No GPO should configure user and
    > computer settings. It should always be one or the other.
    >
    > --
    > .rev
    >
    > www.askthemct.com
    > .
    > "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    > news:...
    > >
    > > "Michael D. Alligood [CertGuard, Inc.]" <> wrote
    > > in message news:...
    > >> "John R" <jsr^^^813@zoom^^^internet.net> wrote in message
    > >> news:#:
    > >>

    > >
    > >> You just take the fun out of everything. ;)

    > >
    > > Sorry, Michael, but I really do agree with the OP, and I have seen it
    > > documented both ways as he stated. And I agree with your post as well, I
    > > was not trying to disagree with you.
    > >
    > > I forget who was asked if they wear boxers or briefs, and they answered
    > > 'depends'. That caused a good laugh because the answer was taken
    > > differently than it was intended. I have found that the same situation
    > > applies to this OPs question. IMHO, you have to look at the setting
    > > itself, what the setting applies to, and then of course take loopback
    > > processing into account. If the setting is to a service, or sometimes
    > > even to an application, if that application or service starts up prior to
    > > a user logon, it will be the computer configuration that will take
    > > priority unless it is a registry setting that the application queries
    > > periodically like a SAV or ForeFront Client Security registry setting,
    > > unless loopback processing is specfied in replace or merge mode, unless,
    > > unless, unless. The fact that MS even designed a loopback feature to allow
    > > for the computer configuration settings to override the user settings
    > > would indicate that it is the user settings that take precedence, but that
    > > isn't always necessary.
    > >
    > > That is what I found in my testing. I was thoroughly confused on this
    > > subject and actually spent about three weeks just changing two different
    > > gpos, rebooting, running RSoP, etc, until I came to the answer 'depends'.
    > > I don't remember if I was asked any questions on the test about conflicts,
    > > but I do know that I was asked about loopback processing.
    > >
    > > Fortunately, our organization uses GPOs sparingly, and almost all GPOs
    > > have only user or computer settings, not both. RSoP is really the best
    > > tool to test with prior to assigning a GPO to a production OU, and I use
    > > that extensively.
    > >
    > > John R
    > >


    Agreed. Besides, I stopped using GPOs, or any policies for that matter.
    I turned the server room into a dungeon and punish. Thanks Cat for the
    ideas over the months.

    --
    Michael D. Alligood, MCITP, MCTS, MCSA, MCDST
    The I.T. Classroom - http://www.theitclassroom.com/
    CertGuard, Inc. - http://www.certguard.com/
    Microsoft Exam Security Newsgroup -
    microsoft.public.certification.exam.security
     
    Michael D. Alligood [CertGuard, Inc.], Jan 15, 2008
    #14
  15. rileymartin

    catwalker63 Guest

    "Michael D. Alligood [CertGuard, Inc.]" <>
    prattled ceaselessly in news:#:


    >
    > Agreed. Besides, I stopped using GPOs, or any policies for that
    > matter. I turned the server room into a dungeon and punished myself.
    > Thanks Cat for the ideas over the months.
    >


    IFYPFY. And you're welcome.

    --
    Catwalker
    MCNGP #43
    www.mcngp.com
    "Definitely not wearing any underwear."
     
    catwalker63, Jan 15, 2008
    #15
  16. "catwalker63" <> wrote in message
    news:Xns9A25BB593772Bcatwalker63athotmail@216.196.97.136:

    > "Michael D. Alligood [CertGuard, Inc.]" <>
    > prattled ceaselessly in news:#:
    >
    >
    > >
    > > Agreed. Besides, I stopped using GPOs, or any policies for that
    > > matter. I turned the server room into a dungeon and punished myself.
    > > Thanks Cat for the ideas over the months.
    > >

    >
    > IFYPFY. And you're welcome.
    >
    > --
    > Catwalker
    > MCNGP #43
    > www.mcngp.com
    > "Definitely not wearing any underwear."


    Hmm... even better. ;)
    --
    Michael D. Alligood, MCITP, MCTS, MCSA, MCDST
    The I.T. Classroom - http://www.theitclassroom.com/
    CertGuard, Inc. - http://www.certguard.com/
    Microsoft Exam Security Newsgroup -
    microsoft.public.certification.exam.security
     
    Michael D. Alligood [CertGuard, Inc.], Jan 15, 2008
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tyler Cobb
    Replies:
    6
    Views:
    18,750
    Tyler Cobb
    Oct 19, 2005
  2. =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=

    Group policy with no group

    =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=, Mar 15, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    526
    Jack \(MVP-Networking\).
    Mar 15, 2007
  3. Tyler Cobb
    Replies:
    1
    Views:
    764
    dawnad
    Oct 9, 2005
  4. MacSysOp

    A+ Conflicting Information

    MacSysOp, Jan 11, 2004, in forum: A+ Certification
    Replies:
    9
    Views:
    558
    Karkucus
    Jan 21, 2004
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    588
    bod43
    Jul 27, 2009
Loading...

Share This Page