Organizational Units

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Can anyone explain this to me,

If I want to secure offline files on several sales reps laptops in my company. I have a windows 2000 domain.

a.Place all reps in an OU, implement a GPO that will encrypt the offline files cache, and link the GPO to the OU.

b.Place all reps laptops in an OU, implement a GPO that will encrypt the offline files cache and link the GPO to the OU

I cant figure out the difference between the reps themselves being part of the OU or the reps laptops being part of the OU. Any advice on the pros/cons of each most appreciated.

 

yeah in this instance it seems laptops is the order of the day

this will apply the policy to the machine rther than the user, which for this task is more appropriate, what if a non rep logs into the laptop, all the files they use will not be encrytped

thats really the difference, this is machine specific not user specific

 

Think about an AD network in general, users aren't tied to a particular machine. By default, a user can log onto any workstation and similarly a computer can accept any user (although, it's not unusual for user logon restrictions to be implemented). This is one of the fundamental functionalities that a domain offers.

Just becuase we are refering to some machines as "sales reps laptops" that doesn't mean sales reps can't use other workstations or that a user from the finance department might borrow one of the laptops.

Group policies can be applied to computers or users. If a group policy is applied to a computer then it will apply to all users of that computer. Similarly, if a GPO is applied to a user then it will apply to that user no matter where they log in.

Some GPO options can be applied only to computers, some only to users, and some to both users and computers. This is why when you configure a GPO, the options are split between computers and users. (Computer options usually override user options when there is a conflict).

Options in the computer branch of a GPO will only affect computer objects, and options in the user branch of a GPO will only affect user objects.

In the specific case you mention, it would make sense that offline files were encrypted no matter who uses the laptops, therefore the policy should be applied to the computers (option b).

In actual fact you will find that this group policy option only exists in the computer branch of a GPO (due to the way offline files are stored, all users share the same cache location so it can only be controlled on a per computer basis). Therefore only option b would actually work.

z.

 

Thanks to all that replied,

A bit clearer now I think!