We help IT Professionals succeed at work.

Group Policy inconsistencies

napoleon41
napoleon41 asked
on
Medium Priority
3,725 Views
Last Modified: 2012-08-13
Our network consists of 7 domain controllers which carry out various functions at 3 sites.  Main network consists of 1 subnet as all are tied together via high-speed links (100mb) and so there are no site-links.  Just straight AD replication.

All of our users are grouped within various nested OU's following the convention: DOMAIN-->{Site}-->[Department]-->users.  That should be enough setup.

Thanks to some wonderful intentions (of a committee. -lol), we have created a screensaver that launches organization wide to display our corporate goals and such.  Unfortunately this interferes with our laboratory department as they cannot see orders flash on the screen when the screen saver is up, and we need to override the screen saver policy for that OU (department).  So far, we have been unsuccessful making this happen.  Here is our current Group Policy setup for this situation.

COMPUTER CONFIGURATION: ADMINISTRATIVE TEMPLATES
Policy                                     Setting

Group Policy refresh interval for computers                   Enabled
      Minutes:                               15
 
Group Policy refresh interval for domain controllers                       Enabled
      Minutes:                               1
 
Registry policy processing                         Enabled
Do not apply during periodic background processing                       Disabled
Process even if the Group Policy objects have not changed       Enabled
 
Security policy processing                         Enabled
Do not apply during periodic background processing                       Disabled
Process even if the Group Policy objects have not changed       Enabled
 
User Group Policy loopback processing mode             Enabled
      Mode:                               Replace


USER CONFIGURATION/ ADMINISTRATIVE TEMPLATES
Policy                                     Setting

System/Group Policy
Group Policy domain controller selection                   Enabled
When Group Policy Object Editor is selecting
     a domain controller to use, it should:                   Use the Primary DC
 
Group Policy refresh interval for users                   Enabled
      Minutes:                               15


Control Panel/Display
Policy                                     Setting
Password protect the screen saver                   Disabled
Screen Saver                               Enabled
Screen Saver executable name                         Enabled
Screen Saver executable name                                                       \\server\share1\users\common\folder\focus.exe
Screen Saver timeout                         Enabled
      Seconds:                               900

Comment
Watch Question

Author

Commented:
Figured I would break this up a bit.  Here is the configuration we set for the Laboratory OU.

USER CONFIGURATION-->Administrative Templates
Control Panel/Display

Policy                               Setting
Hide Desktop tab                   Disabled
Hide Screen Saver tab                   Disabled
Hide Settings tab                   Disabled
Password protect the screen saver       Disabled
Screen Saver                         Disabled
Screen Saver executable name             Disabled
Screen Saver timeout                   Enabled
Number of seconds to wait to enable the Screen Saver
       Seconds:                   0
 
CERTIFIED EXPERT
Top Expert 2005

Commented:
First off, where is this policy linked?

Secondly, why have you enabled Loopback Processing?

Lastly, the users in that department simply need to be placed into a Security Group then added to the ACL of the GPO directly.  Check the Apply Group Policy under DENY.  Hopefully, this Screensaver is in it's own policy, otherwise everything else under the User Config in that policy will not apply.

Author

Commented:
Yes, the laboratory police is enabled.  It is also set to be enforced.

For the person(s) who figure this out: you have my undying love . . . . er . . . appreciation that is.  This has absolutely driven me insane (as has the constant "status" requests of the sqeaky-wheel laboratory department).  

Here's hoping that this issue makes sense to someone.  

Author

Commented:
Loopback:  argg.  Who knows why.  Turned it off.  Too many admins trying to fix this problem.  Even after reading the discription twice, I am not sure how you would make this functional.  Put the computer account in an OU with users?  Very wierd

Linking: Both are linked to <none> in the WMI filtering option.  
     Did some research on what this is, but didn't really find a good answer.  What is a WMI filter?

Author

Commented:
One more thing.  Under the Computer side of GP, I have the following entries that I cannot seem to track down.

Extra Registry Settingshide
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting                                                                                                                                  State
Software\Microsoft\Windows\CurrentVersion\Policies\System\SynchronousMachineGroupPolicy     0
Software\Microsoft\Windows\CurrentVersion\Policies\System\SynchronousUserGroupPolicy          0

     
CERTIFIED EXPERT
Top Expert 2005
Commented:
WMI filter is not necessary.

If the policy above is meant to fix the users that are having problems then delete it - it's causing more trouble than it's solving.

Create a new Security Group or use one that has all the users you DO NOT want this to apply to.  Add the users if a new one was created.
On the main GPO that sets this screensaver, select it under Group Policy Objects in GPMC.
On the right pane select the Delegation tab.
Click on the Advanced Button.
Click Add.
Type in the new group (or group you will use) into the search pane.
Click Check Names then OK when the correct group is shown.
Select the group you just added in the Group or usernames pane.
In the bottom pane put a checkmark in Apply Group Policy under the Deny column.

You should be done.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Top Expert 2005

Commented:
When you do this (to reply to your last post) - connect to the domain from an XP SP2 workstation that has the AdminPack and GPMC installed.  This will update the ADMs when you connect.

Author

Commented:

Author

Commented:
GPMC and AdminPack rock!  Wow what great tools.  Saves me having to constantly log into a server to configure things.  

So . . .

I ran group policy modeling and group policy results for a computer and user and also the laboratory OU.  All of the polices check out that the laboratory GP is in facting winning and should be being applied correctly!  The strange thing is that I manually edited the registry on all of the computers and turn off the screen saver (search for screensaveactive and set to 0) and within our alloted 15 minute window, the screen saver was back on (registry entries changed for the current user).  The domain GP is turning the policy back on for some reason or something.  Hmmmmmm.

Is it possible that the OU policy wins at login, but 15 minutes later the domain over writes it?

Author

Commented:
Ah . . . drat. . . .

One more question.  Right now we just have 1 policy at the domain level.  Netman66, I am assuming from your directions above, "On the main GPO that sets this screensaver," that you are infering that there can be more than one policy per container.  

If so, you are suggesting that I remove the screen saver settings (set them back to "not configured"?) from the "default domain policy" and create a second policy at the domain level with the setting configured in it?  (call it "screensaver").  Then set permissions to deny the dept_pharmacy security group from accessing it?  

Just confirming before I go through the work of it.
CERTIFIED EXPERT
Top Expert 2005

Commented:
Sure can, yes.  You can have as many policies as you like on each container.  It just slows down the logon process a bit.

And, yes on the second question.

Turn the screensave setting in the Default Domain Policy off (toggle it to the opposite of what it is now).  Let it apply.

Create and link a new GPO at the domain level with just the screensaver settings.  Follow my directions above to set security on the policy.  This is referred to as Filtering.  If you have to Filter too much, then this indicates poor AD architecture.

Keep us posted.
CERTIFIED EXPERT
Top Expert 2005

Commented:
Oh...if the Lab GPO is trying to "undo" the Default Domain Policy's screensaver - remove it.  It's probably interfering with things we are trying to accomplish.

Author

Commented:
Worked like a charm.  Thanks for your help!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.