Solved

Group Policy question - locking desktops

Posted on 2004-10-13
5
231 Views
Last Modified: 2010-04-19
We have all of our XP pro systems running on a windows 2003 AD domain.  There is a group policy in place that locks the desktop after 10 minutes of inactivity.  I have a few desktops where I want to turn off this feature, but want to keep this policy in place for the rest.  How do I go about this?  I've tried looking around and the Group Policy is applied at the root of the AD so I can't see a way to do an exclude certain systems.  I assume I need to add them to a specific Group and then exclude that group, right?  Please be as verbose as possible in your reply and thanks!

-Patrick
0
Comment
Question by:oltraver
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12301211
If the policy is the default domain police then it will apply to all computers in the domain. What you need to do is to utilize Organization Unites (OUs) to group the computers the way you want them and then create a new group policy and apply it to the specific OU.

For example....create 2 OUs....one for the computers you want to lock down and one for the computers you don't. Create a policy...you can call it something like "lockdown" and apply it to the OU of the computers you want to lock down.

GPO applies to OUs, not specific users or groups.
0
 

Author Comment

by:oltraver
ID: 12301452
So I need to remove the locking property from the default domain policy first, then just apply it to an OU that I create for the non-locking computers?

If I already have a bunch of OUs defined and populated, do I need to create the locking policy for each of the existing ones that I want locked?  How can idetermine the policies that might ALREADY be applied to the existing OUs?

Sorry I don't know more about this, I inheritied this network form a previous admin.

Thanks!
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 500 total points
ID: 12301584
You can link GPOs to different OUs...see the following article:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebb_gpu_onsl.asp

You can run the Resultant Set of Policy Tool to find out what GPOs are applied in your domain:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/RSPintro.asp
0
 
LVL 11

Expert Comment

by:cfairley
ID: 12304324
In order for policies to apply to an object, the object needs Read access and Apply access.  If you give the object the Deny privilage, it will not apply to that object.

I would add the PCs that I don't want the policy to apply to a security group.  Then open the security tab from the GPO and add the group to the list.  Then give that group the Deny privilage.  The policy will not apply to those PCs.  This is assuming that the settings are in the Computer configuration section of the policy and not the User section.  If you are not using settings from one of the sections, you can disable that part of the policy to speed up processing.  

Thanks,
Chris
0
 

Author Comment

by:oltraver
ID: 12312630
Thanks!  Those links had the last bits of info I needed to pull it all together.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now