I am having some confusion as to how computer side GPO settings will be applied when a teacher logs in at a student computer depending on the AD structure.
I have our AD structure with student users in one OU and Teachers in another OU right below the domain. The Teacher and Student OU's are not sub OU's of one another to make sure that privileges do not flow from one group to the other. I also have the student computers in a sub-OU of Students and Teacher computers in a sub-OU of Teachers. I feel that in doing this I will have issues when a teacher sits down at a student computer. I haven't completely tested it but I think the teacher will get the computer settings from the Student GPO that is applied to the Student OU when the student computer is in a sub-OU. Should the teacher and student computers be in OU's at the root of the domain like the user OU's are and then when a user logs in the computer side settings of the GPO for the student or teacher will just apply to the computer? So basically should I think of it as GPO settings are based on login and therefore follow the user which is applied to the computer the user is logged into?
-Student Computer OU
-Teacher Computer OU
This way you can have common policies that apply to both and just the differentiated stuff apply to the sub users.
AD handles policies in two ways, by machine and by user
User policies are handled by user logon (user objects in AD)
Machine policies are applied to machine objects in AD (ie computers)
There are currently 1 users browsing this thread. (0 members and 1 guests)