No, a user cannot belong to more than one OU at any one time. The reason this question frequently comes up is because we want to apply a different set of group policies to a user when they log into a special use computer. For example, a terminal server, a computer in a public area or even a computer training lab. When we log into those special use computers, we want a different user experience then when we log into our regular desktop. The answer to this issue is to use what is called a Loopback Policy.
When a user starts a computer up, the GPOs based on the computer objects location in Active Directory are processed. With a Loopback Policy in place, when a user logs in, one of two things can happen. If the Loopback Policy is set to Replace mode, the user’s list of GPOs is not even retrieved from Active Directory. Instead, the GPOs based on the computer objects location in Active Directory are retrieved, and then processed for every user who logs into that computer. If the Loopback Policy is set to Merge Mode, when a user logs in, the user’s list of GPOs is retrieved from Active Directory, and then the computer’s list of GPOs is retrieved. The list of GPOs for the computer is then added to the end of the GPOs for the user, which gives the computer GPOs a higher precedence. In short, the settings are merged, with the computer based GPOs “winning” if there is a difference in the settings.
- GP Health Check»
- About Us»