Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 288
  • Last Modified:

Group Policy question - locking desktops

We have all of our XP pro systems running on a windows 2003 AD domain.  There is a group policy in place that locks the desktop after 10 minutes of inactivity.  I have a few desktops where I want to turn off this feature, but want to keep this policy in place for the rest.  How do I go about this?  I've tried looking around and the Group Policy is applied at the root of the AD so I can't see a way to do an exclude certain systems.  I assume I need to add them to a specific Group and then exclude that group, right?  Please be as verbose as possible in your reply and thanks!

-Patrick
0
oltraver
Asked:
oltraver
  • 2
  • 2
1 Solution
 
luv2smileCommented:
If the policy is the default domain police then it will apply to all computers in the domain. What you need to do is to utilize Organization Unites (OUs) to group the computers the way you want them and then create a new group policy and apply it to the specific OU.

For example....create 2 OUs....one for the computers you want to lock down and one for the computers you don't. Create a policy...you can call it something like "lockdown" and apply it to the OU of the computers you want to lock down.

GPO applies to OUs, not specific users or groups.
0
 
oltraverAuthor Commented:
So I need to remove the locking property from the default domain policy first, then just apply it to an OU that I create for the non-locking computers?

If I already have a bunch of OUs defined and populated, do I need to create the locking policy for each of the existing ones that I want locked?  How can idetermine the policies that might ALREADY be applied to the existing OUs?

Sorry I don't know more about this, I inheritied this network form a previous admin.

Thanks!
0
 
luv2smileCommented:
You can link GPOs to different OUs...see the following article:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebb_gpu_onsl.asp

You can run the Resultant Set of Policy Tool to find out what GPOs are applied in your domain:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/RSPintro.asp
0
 
cfairleyCommented:
In order for policies to apply to an object, the object needs Read access and Apply access.  If you give the object the Deny privilage, it will not apply to that object.

I would add the PCs that I don't want the policy to apply to a security group.  Then open the security tab from the GPO and add the group to the list.  Then give that group the Deny privilage.  The policy will not apply to those PCs.  This is assuming that the settings are in the Computer configuration section of the policy and not the User section.  If you are not using settings from one of the sections, you can disable that part of the policy to speed up processing.  

Thanks,
Chris
0
 
oltraverAuthor Commented:
Thanks!  Those links had the last bits of info I needed to pull it all together.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now