Granular application of a GPO 1

[JPJeffery]

Hello

I've created a GPO to enforce a standard Windows screensaver with a 10 minute timeout and password protection switched on.

The GPO is set at the domain level (therefore all OUs) but only applies to users who are in a security group.

It's all good, nothing bad.

Except that the Partners have decided that it shouldn't apply to people's home PCs (which are members of the domain and have persistent connections to the network over the internet thanks to Cisco home routers).

So, bearing in mind the GPO contains User Configuration (not Computer Configuration) the question is, how can I exclude user's from the GPO when they're logged on to some PCs but not exclude them when on others?

Note that I can't apply the GPO on an OU by OU basis because it needs to apply to the 'Users' container which it appears I can only do by applying to the whole domain as I can't select, or even see, the Users container from the Group Policy Management MMC (otherwise this would be REALLY easy!)

TIA

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, and so on)[/small]

 

[PScottC]

Create a GPO on the container that has the home PCs. On that GPO enable "Loopback Processing" and set it to "replace". This will enforce the user portion of the GPO that is assigned to those computers. This setting is commonly used for Citrix/Terminal Services environments where you want the user desktop experience to be different between the desktop and TS.

[red]==============================================[/red]

Now, on the security side, I generally disagree with the motivations for this request. The homes of users are generally not as secure as your office. At the office, at least you know who has physical access to the PC. Since your users have a permanent connection from home to the office, there is a lot of potential to have unauthorized users gaining access to company data. A simple screensaver at least gives a first line defense.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[JPJeffery]

PSC, I completely agree with you about the Home PCs situation but it's out of my hands.

I might try and convince the Partner for IT to go for a similar GPO but with a longer timeout though.

Anyway, thanks for the solution (even though I've not tested it yet). I was beginning to think I'd have to write some sort of VB script instead of a GPO.

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, and so on)[/small]

 

[JPJeffery]

OK," he said, "make it four hours for home PCs..."

Personally, I'd have said one hour, but hey.

JJ
[small][purple]Variables won't. Constants aren't[/purple]
There is no apostrophe in the plural of PC (or PST, or CPU, or HDD, or FDD, and so on)[/small]