|
According to logic statements though, T or F is true since one of the criteria is met. Similarly, ~T or ~F is still true. True in this case is getting the printer mapped so the or statements shouldn't work. User A gets the printer for meeting "or the user isn't user B" requirement. Unless GPO is hosed up and processes this as ~(true or false), getting false. It should require an and statement since ~true and ~false is false. I've been struggling trying to wrap my head around this all day. But this thread has pointed me in the right direction. User A and user B are in a new security group, printer is applied to users not in the group. No need for two statements at all.
|
# ? Jun 6, 2014 03:16 |
|
|
# ? Jun 10, 2024 13:17 |
|
As said before, you want not User A or User B, or ~(User A OR User B). Not User A and User B, or ~(User A AND User B), will always evaluate to true because there will never exist an individual user that is both User A and User B. Think of it with a few tests: ~(User A OR User B) 1. User A: ~(1 OR 0) = ~1 = 0 = False (i.e., don't apply policy) 2. User B: ~(0 OR 1) = ~1 = 0 = False (i.e., don't apply policy) 3. User C: ~(0 OR 0) = ~0 = 1 = True (i.e., apply policy) ~(User A AND User B) 1. User A: ~(1 AND 0) = ~0 = 1 = True (i.e., apply policy) 2. User B: ~(0 AND 1) = ~0 = 1 = True (i.e., apply policy) 3. User C: ~(0 AND 0) = ~0 = 1 = True (i.e., apply policy) You may be meaning to say not User A and not User B, or (~User A AND ~User B), which is logically equivalent to ~(User A OR User B): (~User A AND ~User B) 1. User A: (~1 AND ~0) = (0 AND 1) = 0 = False (i.e., don't apply policy) 2. User B: (~0 AND ~1) = (1 AND 0) = 0 = False (i.e., don't apply policy) 3. User C: (~0 AND ~0) = (1 AND 1) = 1 = True (i.e., apply policy)
|
# ? Jun 6, 2014 04:46 |
|
Ok cool, thanks. I've got the understanding of the logic down, it was just a question of how GPO processes two statements. If they were processed individually (~a and ~b) I need a different solution than if they are processed together as ~(a or b). The way it's worded on the screen implies they are processed individually because there is a not in front of both cases. It doesn't make sense that GPO would take two not statements, group them as positives, then add the negative to the group as the second example shows.
|
# ? Jun 6, 2014 12:19 |
|
This is a really useful thread. Thanks for all the helpful info, folks!
|
# ? Sep 10, 2014 19:23 |
|
Wizard of the Deep posted:You won't see any serious slowdowns (under normal conditions) for adding another group or two This is how we ended up with 6 times as many groups as users
|
# ? Sep 11, 2014 00:44 |
|
|
# ? Jun 10, 2024 13:17 |
|
peak debt posted:This is how we ended up with 6 times as many groups as users I think at a 6:1 group:user ratio, we've stopped talking about "normal conditions".
|
# ? Sep 11, 2014 04:37 |