Bypassing default domain policy 1

[acl03]

First off, let me say that we are not trying to circumvent our company's security policies by doing something they have not approved. I am trying to find a way to accomplish this task with their approval in a way that leaves their root domain/GPO structure unchanged.

We have a few computers in our corporate domain (most we have in our own domain).

The corporate domain imposes security settings via the Default Domain Policy (I am not a fan of this method). We have a few machines on which we need the screensaver timeout longer than 15 minutes (these are laptops used for presentations).

They have the "Enforced" option on the default domain policy, so override is not an option.

Is there a way to change this setting to a longer timeout without having to pull it out of the Default Domain Policy? Preferably without modifying their policy at all, as we are a tiny part of this domain.

This also needs to affect only a few computers (not users) so I understand loopback processing and/or security filtering of GPOs may need to be used.

Appreciate any insight.





Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[UTechnical]

Create a local account on the PC's and remove them from the domain is one option. Another would be to just create a .reg file with the correct settings and have the users run the file before they use the PC.

Eric

http://www.upscaletechnical.com

Houston Computer Repair

 

[TechyMcSe2k]

You need to request that the Screensaver timeout policy be put in to its own seperate GPO. Then they can apply that policy at the domain level, BUT exclude the presentation laptops from applying that GPO. I would also inform your IT department, that adding frivolous settings like these to the Default Domain Policy is not Microsoft Best Practices... But good luck on the response to that.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[TechyMcSe2k]

BTW Utechnical...the .reg file would work only until the Group Policies are refreshed (standard interval of 15 minutes - I believe); in which the screensaver timeout would be replaced.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[acl03]

I was thinking of scheduling a repeating task with VBScript to modify that reg key every so often.

"So often" being 1 minute less than the default GPO update time. I thought that was 2 hours, not 15 minutes...but I am probably remembering something else.

It's not worth the fight to get them to make major changes to their default policy. As I said normally we don't deal with corporate IT, we run our own shop in our section of the company.

I already told them that they shouldn't have stuff other than password settings in default domain policy, but like you said...good luck trying to get people to do what's right Especially when dealing with a security unit turned AD admins, not the other way around.

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[TechyMcSe2k]

The ony other thing I can think of to try is to deny read rights on the local GP folder. First you must allow sysem folders to be viewed. Then under Windows\system32 there is a Group Policy folder.You can change the security for this folder to Deny read. Now once you do that, it should prevent that computer from applying most Group Policies. But test this out. also, make sure you have another computer you can browse to this folder/directory on the modified PC to make changing permissions back much easier.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[acl03]

If you use security filtering to deny a COMPUTER account rights to a GPO that has USER settings in it...will any user logging into that computer NOT get the settings?

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[TechyMcSe2k]

The User would get its designated settings. The Computer would not. Unless the GPO is designed to be applied to only computer accounts regardless of who logs on. So authenticated users would have to be filtered out to prevent users from obtaining the gpo settings. Can you add a user group to the GPO and Deny it read rights? That would work.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[acl03]

Problem is, we only want those rights denied to a specific group of computers, not when they log into their normal workstations.

That's what made me think we'd need to use Loopback processing mode to do it, along with changes to their OU/GPO structure.



Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!

 

[TechyMcSe2k]

Administering Group Policy to Provide a Consistent Desktop

http://technet.microsoft.com/en-us/library/cc779327.aspx

with the loopback it should be doable. Enabling the replace mode, then creating a GPO on the OU where these computers accounts are located. Then specifying only user setting within that GPO to modify the seeting you need.

Let me know if you get this to work.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[acl03]

Thanks, I'll check it out. This is all dependent on security approving this change. They want to know how to do it before they approve or disapprove.

I'll let you know how we work this out, assuming we're allowed to do it.

Thanks,
Andrew

Hard work often pays off over time, but procrastination pays off right now!