Now that you have some experience with editing GPOs, you may have noticed that inside each GPO are two separate groups of settings. There are Computer Configuration settings, and there are User Configuration settings, as seen in the following screenshot:
At first glance, it almost looks like Group Policy is set up so that the same policy settings are available for either computer accounts or user accounts, but that is actually not the case at all. If you expand some of the folders and settings listed inside Group Policy Management Editor, you will shortly discover that most settings do not overlap; they are unique between the two sides.
It is most common to find organizations who only make use of either Computer Configuration or User Configuration for each individual GPO. This is a good practice, especially considering our previously mentioned best practice of having GPOs be configured for very individual tasks. So, most often, you will find GPOs with computer settings being linked to OUs that contain computer accounts, and GPOs with user settings being linked to OUs that contain user accounts. There is certainly the potential to cross over settings, but organizing these settings and troubleshooting them later will be much more straightforward if you stick to the plan.
Computer Configuration settings get applied to computers, regardless of which users log in to those computers. When creating a GPO with computer settings, try to think outside the scope of users logged in to the machine and focus on security and settings of the physical machine itself. Then User Configuration settings are applied to users, no matter which computers they are logging in to. In an AD environment, user settings will follow the user to any domain-joined computer that they log in to. In the event that you have a GPO with both user and computer settings and they conflict, then in general the computer policies will win and take final effect.
Occasionally, you may have the need to issue user settings to anybody who logs in to a particular computer or group of computers. This capability is handled by something called Loopback Policy Processing, which we will discuss further in Chapter 5, Deploying Policy Settings.