Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Group Policy question - locking desktops

Posted on 2004-10-13
5
Medium Priority
?
282 Views
Last Modified: 2010-04-19
We have all of our XP pro systems running on a windows 2003 AD domain.  There is a group policy in place that locks the desktop after 10 minutes of inactivity.  I have a few desktops where I want to turn off this feature, but want to keep this policy in place for the rest.  How do I go about this?  I've tried looking around and the Group Policy is applied at the root of the AD so I can't see a way to do an exclude certain systems.  I assume I need to add them to a specific Group and then exclude that group, right?  Please be as verbose as possible in your reply and thanks!

-Patrick
0
Comment
Question by:oltraver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12301211
If the policy is the default domain police then it will apply to all computers in the domain. What you need to do is to utilize Organization Unites (OUs) to group the computers the way you want them and then create a new group policy and apply it to the specific OU.

For example....create 2 OUs....one for the computers you want to lock down and one for the computers you don't. Create a policy...you can call it something like "lockdown" and apply it to the OU of the computers you want to lock down.

GPO applies to OUs, not specific users or groups.
0
 

Author Comment

by:oltraver
ID: 12301452
So I need to remove the locking property from the default domain policy first, then just apply it to an OU that I create for the non-locking computers?

If I already have a bunch of OUs defined and populated, do I need to create the locking policy for each of the existing ones that I want locked?  How can idetermine the policies that might ALREADY be applied to the existing OUs?

Sorry I don't know more about this, I inheritied this network form a previous admin.

Thanks!
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 2000 total points
ID: 12301584
You can link GPOs to different OUs...see the following article:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebb_gpu_onsl.asp

You can run the Resultant Set of Policy Tool to find out what GPOs are applied in your domain:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/RSPintro.asp
0
 
LVL 11

Expert Comment

by:cfairley
ID: 12304324
In order for policies to apply to an object, the object needs Read access and Apply access.  If you give the object the Deny privilage, it will not apply to that object.

I would add the PCs that I don't want the policy to apply to a security group.  Then open the security tab from the GPO and add the group to the list.  Then give that group the Deny privilage.  The policy will not apply to those PCs.  This is assuming that the settings are in the Computer configuration section of the policy and not the User section.  If you are not using settings from one of the sections, you can disable that part of the policy to speed up processing.  

Thanks,
Chris
0
 

Author Comment

by:oltraver
ID: 12312630
Thanks!  Those links had the last bits of info I needed to pull it all together.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question