Lets say I have two OU's one to store computer objects and the other to store User accounts. If I create a GPO in the "Computers" OU, and set user configurations, will they take effect?
Do I have to actually create a GPO in the User accounts OU and set user configurations for them to work?
Do "Computer Config" settings only apply to computers in a OU, and "User Configuration" settings only apply to user accounts in a OU?
Best Answer
No. I mean, unless you stored User account objects in the OU named Computers, which is weird...
User settings of a GPO will only affect user accounts that reside in the OU(s) that are in the scope of where that GPO is linked.
Computer settings will only affect computer accounts that reside in the OU(s) that are in the scope of where that GPO is linked.
You can turn off either the computer settings or user settings portion of a GPO if you wish to optimize GPO processing... but I don't see that practice often in the wild.
You could do something like:
At the Toronto OU, you could link a GPO that contains both user and computer settings that are meant to apply to all user and computer objects in Toronto. You could then link a GPO to the Users OU that contains only User settings, and another GPO to the Computers OU that contains only computer settings. (Of course the assumption is you store only user account objects in the Users OU, and only computer account objects in the Computers OU.)
That is of course only an example. There are a hundred other ways to design your group policy and OU layout.
Edit: Greg Askew brings up a good point, (thank you,) and that is that you might now want to know about Group Policy lookback processing. Simply stated by Microsoft: