Organizational Units

Discussion in 'General Microsoft Certifications' started by MrNice, May 23, 2005.

  1. MrNice

    MrNice Kilobyte Poster

    Can anyone explain this to me,

    If I want to secure offline files on several sales reps laptops in my company. I have a windows 2000 domain.

    a.Place all reps in an OU, implement a GPO that will encrypt the offline files cache, and link the GPO to the OU.

    b.Place all reps laptops in an OU, implement a GPO that will encrypt the offline files cache and link the GPO to the OU

    I cant figure out the difference between the reps themselves being part of the OU or the reps laptops being part of the OU. Any advice on the pros/cons of each most appreciated.
  2. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    Well if the OU was applied to the Reps what would happen when they logged on when they are "on-site" rather than on the road?
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  3. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    yeah in this instance it seems laptops is the order of the day

    this will apply the policy to the machine rther than the user, which for this task is more appropriate, what if a non rep logs into the laptop, all the files they use will not be encrytped

    thats really the difference, this is machine specific not user specific
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  4. zcapr17

    zcapr17 Nibble Poster

    Think about an AD network in general, users aren't tied to a particular machine. By default, a user can log onto any workstation and similarly a computer can accept any user (although, it's not unusual for user logon restrictions to be implemented). This is one of the fundamental functionalities that a domain offers.

    Just becuase we are refering to some machines as "sales reps laptops" that doesn't mean sales reps can't use other workstations or that a user from the finance department might borrow one of the laptops.

    Group policies can be applied to computers or users. If a group policy is applied to a computer then it will apply to all users of that computer. Similarly, if a GPO is applied to a user then it will apply to that user no matter where they log in.

    Some GPO options can be applied only to computers, some only to users, and some to both users and computers. This is why when you configure a GPO, the options are split between computers and users. (Computer options usually override user options when there is a conflict).

    Options in the computer branch of a GPO will only affect computer objects, and options in the user branch of a GPO will only affect user objects.

    In the specific case you mention, it would make sense that offline files were encrypted no matter who uses the laptops, therefore the policy should be applied to the computers (option b).

    In actual fact you will find that this group policy option only exists in the computer branch of a GPO (due to the way offline files are stored, all users share the same cache location so it can only be controlled on a per computer basis). Therefore only option b would actually work.

    Certifications: MCSE:2K3 MCTS:Vista VCPv3 ITILv3 Sec+ L+
    WIP: MCITP Enterprise Admin 2008, CCA
  5. MrNice

    MrNice Kilobyte Poster

    Thanks to all that replied,

    A bit clearer now I think!

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.