napoleon41
asked on
Group Policy inconsistencies
Our network consists of 7 domain controllers which carry out various functions at 3 sites. Main network consists of 1 subnet as all are tied together via high-speed links (100mb) and so there are no site-links. Just straight AD replication.
All of our users are grouped within various nested OU's following the convention: DOMAIN-->{Site}-->[Departm ent]-->use rs. That should be enough setup.
Thanks to some wonderful intentions (of a committee. -lol), we have created a screensaver that launches organization wide to display our corporate goals and such. Unfortunately this interferes with our laboratory department as they cannot see orders flash on the screen when the screen saver is up, and we need to override the screen saver policy for that OU (department). So far, we have been unsuccessful making this happen. Here is our current Group Policy setup for this situation.
COMPUTER CONFIGURATION: ADMINISTRATIVE TEMPLATES
Policy Setting
Group Policy refresh interval for computers Enabled
Minutes: 15
Group Policy refresh interval for domain controllers Enabled
Minutes: 1
Registry policy processing Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Enabled
Security policy processing Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Enabled
User Group Policy loopback processing mode Enabled
Mode: Replace
USER CONFIGURATION/ ADMINISTRATIVE TEMPLATES
Policy Setting
System/Group Policy
Group Policy domain controller selection Enabled
When Group Policy Object Editor is selecting
a domain controller to use, it should: Use the Primary DC
Group Policy refresh interval for users Enabled
Minutes: 15
Control Panel/Display
Policy Setting
Password protect the screen saver Disabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name \\server\share1\users\comm on\folder\ focus.exe
Screen Saver timeout Enabled
Seconds: 900
All of our users are grouped within various nested OU's following the convention: DOMAIN-->{Site}-->[Departm
Thanks to some wonderful intentions (of a committee. -lol), we have created a screensaver that launches organization wide to display our corporate goals and such. Unfortunately this interferes with our laboratory department as they cannot see orders flash on the screen when the screen saver is up, and we need to override the screen saver policy for that OU (department). So far, we have been unsuccessful making this happen. Here is our current Group Policy setup for this situation.
COMPUTER CONFIGURATION: ADMINISTRATIVE TEMPLATES
Policy Setting
Group Policy refresh interval for computers Enabled
Minutes: 15
Group Policy refresh interval for domain controllers Enabled
Minutes: 1
Registry policy processing Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Enabled
Security policy processing Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Enabled
User Group Policy loopback processing mode Enabled
Mode: Replace
USER CONFIGURATION/ ADMINISTRATIVE TEMPLATES
Policy Setting
System/Group Policy
Group Policy domain controller selection Enabled
When Group Policy Object Editor is selecting
a domain controller to use, it should: Use the Primary DC
Group Policy refresh interval for users Enabled
Minutes: 15
Control Panel/Display
Policy Setting
Password protect the screen saver Disabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name \\server\share1\users\comm
Screen Saver timeout Enabled
Seconds: 900
First off, where is this policy linked?
Secondly, why have you enabled Loopback Processing?
Lastly, the users in that department simply need to be placed into a Security Group then added to the ACL of the GPO directly. Check the Apply Group Policy under DENY. Hopefully, this Screensaver is in it's own policy, otherwise everything else under the User Config in that policy will not apply.
Secondly, why have you enabled Loopback Processing?
Lastly, the users in that department simply need to be placed into a Security Group then added to the ACL of the GPO directly. Check the Apply Group Policy under DENY. Hopefully, this Screensaver is in it's own policy, otherwise everything else under the User Config in that policy will not apply.
ASKER
Yes, the laboratory police is enabled. It is also set to be enforced.
For the person(s) who figure this out: you have my undying love . . . . er . . . appreciation that is. This has absolutely driven me insane (as has the constant "status" requests of the sqeaky-wheel laboratory department).
Here's hoping that this issue makes sense to someone.
For the person(s) who figure this out: you have my undying love . . . . er . . . appreciation that is. This has absolutely driven me insane (as has the constant "status" requests of the sqeaky-wheel laboratory department).
Here's hoping that this issue makes sense to someone.
ASKER
Loopback: argg. Who knows why. Turned it off. Too many admins trying to fix this problem. Even after reading the discription twice, I am not sure how you would make this functional. Put the computer account in an OU with users? Very wierd
Linking: Both are linked to <none> in the WMI filtering option.
Did some research on what this is, but didn't really find a good answer. What is a WMI filter?
Linking: Both are linked to <none> in the WMI filtering option.
Did some research on what this is, but didn't really find a good answer. What is a WMI filter?
ASKER
One more thing. Under the Computer side of GP, I have the following entries that I cannot seem to track down.
Extra Registry Settingshide
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting State
Software\Microsoft\Windows \CurrentVe rsion\Poli cies\Syste m\Synchron ousMachine GroupPolic y 0
Software\Microsoft\Windows \CurrentVe rsion\Poli cies\Syste m\Synchron ousUserGro upPolicy 0
Extra Registry Settingshide
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting State
Software\Microsoft\Windows
Software\Microsoft\Windows
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you do this (to reply to your last post) - connect to the domain from an XP SP2 workstation that has the AdminPack and GPMC installed. This will update the ADMs when you connect.
ASKER
Found another answer to my "Extra Registry Settings" problem:
http://technet2.microsoft.com/WindowsServer/en/Library/098c1169-f76f-4e53-9208-c327bb97cee41033.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/098c1169-f76f-4e53-9208-c327bb97cee41033.mspx
ASKER
GPMC and AdminPack rock! Wow what great tools. Saves me having to constantly log into a server to configure things.
So . . .
I ran group policy modeling and group policy results for a computer and user and also the laboratory OU. All of the polices check out that the laboratory GP is in facting winning and should be being applied correctly! The strange thing is that I manually edited the registry on all of the computers and turn off the screen saver (search for screensaveactive and set to 0) and within our alloted 15 minute window, the screen saver was back on (registry entries changed for the current user). The domain GP is turning the policy back on for some reason or something. Hmmmmmm.
Is it possible that the OU policy wins at login, but 15 minutes later the domain over writes it?
So . . .
I ran group policy modeling and group policy results for a computer and user and also the laboratory OU. All of the polices check out that the laboratory GP is in facting winning and should be being applied correctly! The strange thing is that I manually edited the registry on all of the computers and turn off the screen saver (search for screensaveactive and set to 0) and within our alloted 15 minute window, the screen saver was back on (registry entries changed for the current user). The domain GP is turning the policy back on for some reason or something. Hmmmmmm.
Is it possible that the OU policy wins at login, but 15 minutes later the domain over writes it?
ASKER
Ah . . . drat. . . .
One more question. Right now we just have 1 policy at the domain level. Netman66, I am assuming from your directions above, "On the main GPO that sets this screensaver," that you are infering that there can be more than one policy per container.
If so, you are suggesting that I remove the screen saver settings (set them back to "not configured"?) from the "default domain policy" and create a second policy at the domain level with the setting configured in it? (call it "screensaver"). Then set permissions to deny the dept_pharmacy security group from accessing it?
Just confirming before I go through the work of it.
One more question. Right now we just have 1 policy at the domain level. Netman66, I am assuming from your directions above, "On the main GPO that sets this screensaver," that you are infering that there can be more than one policy per container.
If so, you are suggesting that I remove the screen saver settings (set them back to "not configured"?) from the "default domain policy" and create a second policy at the domain level with the setting configured in it? (call it "screensaver"). Then set permissions to deny the dept_pharmacy security group from accessing it?
Just confirming before I go through the work of it.
Sure can, yes. You can have as many policies as you like on each container. It just slows down the logon process a bit.
And, yes on the second question.
Turn the screensave setting in the Default Domain Policy off (toggle it to the opposite of what it is now). Let it apply.
Create and link a new GPO at the domain level with just the screensaver settings. Follow my directions above to set security on the policy. This is referred to as Filtering. If you have to Filter too much, then this indicates poor AD architecture.
Keep us posted.
And, yes on the second question.
Turn the screensave setting in the Default Domain Policy off (toggle it to the opposite of what it is now). Let it apply.
Create and link a new GPO at the domain level with just the screensaver settings. Follow my directions above to set security on the policy. This is referred to as Filtering. If you have to Filter too much, then this indicates poor AD architecture.
Keep us posted.
Oh...if the Lab GPO is trying to "undo" the Default Domain Policy's screensaver - remove it. It's probably interfering with things we are trying to accomplish.
ASKER
Worked like a charm. Thanks for your help!
ASKER
USER CONFIGURATION-->Administra
Control Panel/Display
Policy Setting
Hide Desktop tab Disabled
Hide Screen Saver tab Disabled
Hide Settings tab Disabled
Password protect the screen saver Disabled
Screen Saver Disabled
Screen Saver executable name Disabled
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
Seconds: 0