Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy User Configuration

Status
Not open for further replies.
tamtam

tamtam

MIS
Nov 22, 1999
29
US
I have created a GPO to have users' computers turn on the screen saver after 10 minutes of inactivity and password protect on resume. The issue I have is that there is a block of computers that I don't want this policy to apply to. This GPO is setup under User Configuration, so it has to be applied to users, not computers (at least that is what I understood from reading about Group Policy). Is there a way to block this policy from applying to the block of computers? Or is there a better way to setup this GPO so it does what I want? I would rather have it be applied to computers, than users. Thank you.
 
Sort by date Sort by votes
How about creating a new OU and moving the PCs there? Best practice is to not modify the defualt domain policy for things like this.
 
Upvote 0 Downvote
Actually, that is what I did originally, but the policy was not going down to the computer. Then after some reading, it sounds like you cannot apply User Configuration policies to computers. You can only apply User Configuration policies to users.
 
Upvote 0 Downvote
Make a group called something like "Deny Screen Save GPO" at the domain, then in the permissions on the GPO you created, set the permissions for this new group to "Deny Apply GPO". Put the users in that group that you don't want affected by the policy.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong" :)
 
Upvote 0 Downvote
If I put computers in that OU, will it deny the policy to the computers when users login? I want to block the policy being applied to certain computers. We have some computers that are in our conference rooms that anyone can log into as themself. However, those computers have special screen saver settings that we need to keep in place, no matter who logs in. But when the users go back their desks and login, I would like the policy to apply to their computer.
 
Upvote 0 Downvote
ok, i misread that top section. I thought you were trying to block certain users, not computers. Let me think on this for a bit.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong" :)
 
Upvote 0 Downvote
Put your screensaver policy into a seperate GPO. Apply the policy at the domain level. Used advanced view and edit the security settings on the GPO. Deny applying the policy to the computer objects of those computers you don't wish it to apply to. I'm not sure this will work since its a user policy and you are denying it to computers, but it's worth a try.


A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
What you need is loopback processing. It is a setting you apply in the Computer section of the GPO that will allow you to apply user settings on a computer level. In your situation, the screensaver policy would be applied still but then you would undo it (replace with different settings) in the new loopback GPO.

I kind of rushed through that explanation so do some reading and searching but loopback is definitely what you need to use.
 
Upvote 0 Downvote
Thanks wcburton. I tried to use loopback processing, but I still wasn't able to get the desired effect. I must not be understanding loopback processing correctly. This is what I did:

I put a test computer into its own OU. Then I linked the screen saver GPO to the computer OU (So now it is linked to my test computer OU and test user OU). Then I went into the GPO and enabled loopback processing using replace mode in the Computer Configuration section. I went back to my test computer, logged in as my test user, and did a gpudate. Then I waited to see what happened. The screen saver GPO was still applied. The result that I want is that the GPO is not applied at all. Am I wrong in thinking that loopback processing will keep the user GPO from applying to the computer? Do I need to create a new GPO with the settings I want for the conference room computers, enable loopback processing on that GPO and link it to my computer OU? I am a little confused as to how to get this to work with loopback processing.
 
Upvote 0 Downvote
Sorry to leave you hanging. Have you gotten any closer to working this out?

Try this link:

From your earlier descriptions of your GPO setup, you need something in the user section of a GPO that is applied to your test machine that changes the screensaver behaviour that is applied in the screensaver GPO. This would be merge mode.

I believe that since you linked your screensaver GPO directly to the OU where your test computer is (as opposed to a parent OU) that the replace did not actually happen. I am not as sure of that statement as I would like to be, but there it is.

Also, if the screensaver setting was applied to the test PC even once, it will stay that way until it is overriden or disabled. That is why you cannot just delete a GPO to reverse its effect. You must set it to disabled first to allow the "undo" to propogate and then it can be deleted.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
270
DrB0b
DrB0b
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
96
penguinroundup
penguinroundup
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
149
rrmcguire
rrmcguire
goombawaho
  • Locked
  • Question
Continuous RDP disconnection/reconnection for administrator user
Replies
5
Views
152
goombawaho
goombawaho
goombawaho
  • Locked
  • Question
How to open Change user role for user accounts wizard
Replies
2
Views
84
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top