Solved

Group Policy question - locking desktops

Posted on 2004-10-13
5
263 Views
Last Modified: 2010-04-19
We have all of our XP pro systems running on a windows 2003 AD domain.  There is a group policy in place that locks the desktop after 10 minutes of inactivity.  I have a few desktops where I want to turn off this feature, but want to keep this policy in place for the rest.  How do I go about this?  I've tried looking around and the Group Policy is applied at the root of the AD so I can't see a way to do an exclude certain systems.  I assume I need to add them to a specific Group and then exclude that group, right?  Please be as verbose as possible in your reply and thanks!

-Patrick
0
Comment
Question by:oltraver
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12301211
If the policy is the default domain police then it will apply to all computers in the domain. What you need to do is to utilize Organization Unites (OUs) to group the computers the way you want them and then create a new group policy and apply it to the specific OU.

For example....create 2 OUs....one for the computers you want to lock down and one for the computers you don't. Create a policy...you can call it something like "lockdown" and apply it to the OU of the computers you want to lock down.

GPO applies to OUs, not specific users or groups.
0
 

Author Comment

by:oltraver
ID: 12301452
So I need to remove the locking property from the default domain policy first, then just apply it to an OU that I create for the non-locking computers?

If I already have a bunch of OUs defined and populated, do I need to create the locking policy for each of the existing ones that I want locked?  How can idetermine the policies that might ALREADY be applied to the existing OUs?

Sorry I don't know more about this, I inheritied this network form a previous admin.

Thanks!
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 500 total points
ID: 12301584
You can link GPOs to different OUs...see the following article:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebb_gpu_onsl.asp

You can run the Resultant Set of Policy Tool to find out what GPOs are applied in your domain:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/RSPintro.asp
0
 
LVL 11

Expert Comment

by:cfairley
ID: 12304324
In order for policies to apply to an object, the object needs Read access and Apply access.  If you give the object the Deny privilage, it will not apply to that object.

I would add the PCs that I don't want the policy to apply to a security group.  Then open the security tab from the GPO and add the group to the list.  Then give that group the Deny privilage.  The policy will not apply to those PCs.  This is assuming that the settings are in the Computer configuration section of the policy and not the User section.  If you are not using settings from one of the sections, you can disable that part of the policy to speed up processing.  

Thanks,
Chris
0
 

Author Comment

by:oltraver
ID: 12312630
Thanks!  Those links had the last bits of info I needed to pull it all together.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question