Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Applying a user group policy to only a limited number of computers in the same OU

Status
Not open for further replies.

steve00

Technical User
Jul 22, 2005
11
GB
Hello all,

We have all our computers and users in Active Directory split between different OU’s that represent out different departments. This way we can create gpo’s and link them to the relevant departmental OU. We have a screensaver user policy which turns on the screensaver after a period of inactivity which we have linked at the top of the active directory hierarchy so that it filters down to all the users.

Like this.

--Organisation -------------> Screen saver policy applied here
----department1
--------user1
--------user2
--------computer1
--------computer2
--------computer3
--------computer4
----department2
--------user3
--------user4
--------computer5
--------computer6
--------computer7
----department3
--------user5
--------user6
--------computer8
--------computer9


We now need to exclude certain computers from the screensaver policy, for example let’s say computers 3,5 and 8. We can’t move the affected computers into another new OU as they then wouldn’t pick up their departmental gpo which are applied at the departmental ou level. What’s the best way to go about this?

This is what I’ve tried to do so far. I’ve created another gpo (screensaver override) which has the user group policy loopback processing mode setting enabled and set the screensaver to be disabled. I then linked this at the same level as the existing screen saver policy and ensured it was set as a higher priority link order so that it overwrote the existing screensaver policy. To ensure that the policy only applied to the computers I wanted it to I added the affected computers to the security filtering box for the screensaver override policy.

This doesn’t work though. If I leave the default Authenticated Users group in the security filtering box alongside the computers the policy applies to everyone, if I remove the authenticated users group it applies to no one. I’m guessing as the screensaver policy is a user policy it’s only looking at users and is ignoring my computers.
 
You need to DENY the "Apply Group Policy" to machines that you DON'T want to have the GPO applied.

Thanks,
Andrew

[smarty] Hard work often pays off over time, but procrastination pays off right now!
 
Hi Andrew,

I have tried denying the computers I don't want the policy applied to. I think the problem is that the screensaver setting is part of the user side of the policy and i'm trying to block it based on computer. So it's seeing Authenticated users and using that to apply it everything regardless of what computes I add to the permissions list.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top