Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Group Policy inconsistencies

Posted on 2006-03-20
13
Medium Priority
?
3,708 Views
Last Modified: 2012-08-13
Our network consists of 7 domain controllers which carry out various functions at 3 sites.  Main network consists of 1 subnet as all are tied together via high-speed links (100mb) and so there are no site-links.  Just straight AD replication.

All of our users are grouped within various nested OU's following the convention: DOMAIN-->{Site}-->[Department]-->users.  That should be enough setup.

Thanks to some wonderful intentions (of a committee. -lol), we have created a screensaver that launches organization wide to display our corporate goals and such.  Unfortunately this interferes with our laboratory department as they cannot see orders flash on the screen when the screen saver is up, and we need to override the screen saver policy for that OU (department).  So far, we have been unsuccessful making this happen.  Here is our current Group Policy setup for this situation.

COMPUTER CONFIGURATION: ADMINISTRATIVE TEMPLATES
Policy                                     Setting

Group Policy refresh interval for computers                   Enabled
      Minutes:                               15
 
Group Policy refresh interval for domain controllers                       Enabled
      Minutes:                               1
 
Registry policy processing                         Enabled
Do not apply during periodic background processing                       Disabled
Process even if the Group Policy objects have not changed       Enabled
 
Security policy processing                         Enabled
Do not apply during periodic background processing                       Disabled
Process even if the Group Policy objects have not changed       Enabled
 
User Group Policy loopback processing mode             Enabled
      Mode:                               Replace


USER CONFIGURATION/ ADMINISTRATIVE TEMPLATES
Policy                                     Setting

System/Group Policy
Group Policy domain controller selection                   Enabled
When Group Policy Object Editor is selecting
     a domain controller to use, it should:                   Use the Primary DC
 
Group Policy refresh interval for users                   Enabled
      Minutes:                               15


Control Panel/Display
Policy                                     Setting
Password protect the screen saver                   Disabled
Screen Saver                               Enabled
Screen Saver executable name                         Enabled
Screen Saver executable name                                                       \\server\share1\users\common\folder\focus.exe
Screen Saver timeout                         Enabled
      Seconds:                               900

0
Comment
Question by:napoleon41
  • 8
  • 5
13 Comments
 
LVL 5

Author Comment

by:napoleon41
ID: 16241489
Figured I would break this up a bit.  Here is the configuration we set for the Laboratory OU.

USER CONFIGURATION-->Administrative Templates
Control Panel/Display

Policy                               Setting
Hide Desktop tab                   Disabled
Hide Screen Saver tab                   Disabled
Hide Settings tab                   Disabled
Password protect the screen saver       Disabled
Screen Saver                         Disabled
Screen Saver executable name             Disabled
Screen Saver timeout                   Enabled
Number of seconds to wait to enable the Screen Saver
       Seconds:                   0
 
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16241490
First off, where is this policy linked?

Secondly, why have you enabled Loopback Processing?

Lastly, the users in that department simply need to be placed into a Security Group then added to the ACL of the GPO directly.  Check the Apply Group Policy under DENY.  Hopefully, this Screensaver is in it's own policy, otherwise everything else under the User Config in that policy will not apply.

0
 
LVL 5

Author Comment

by:napoleon41
ID: 16241538
Yes, the laboratory police is enabled.  It is also set to be enforced.

For the person(s) who figure this out: you have my undying love . . . . er . . . appreciation that is.  This has absolutely driven me insane (as has the constant "status" requests of the sqeaky-wheel laboratory department).  

Here's hoping that this issue makes sense to someone.  
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Author Comment

by:napoleon41
ID: 16241602
Loopback:  argg.  Who knows why.  Turned it off.  Too many admins trying to fix this problem.  Even after reading the discription twice, I am not sure how you would make this functional.  Put the computer account in an OU with users?  Very wierd

Linking: Both are linked to <none> in the WMI filtering option.  
     Did some research on what this is, but didn't really find a good answer.  What is a WMI filter?

0
 
LVL 5

Author Comment

by:napoleon41
ID: 16241743
One more thing.  Under the Computer side of GP, I have the following entries that I cannot seem to track down.

Extra Registry Settingshide
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting                                                                                                                                  State
Software\Microsoft\Windows\CurrentVersion\Policies\System\SynchronousMachineGroupPolicy     0
Software\Microsoft\Windows\CurrentVersion\Policies\System\SynchronousUserGroupPolicy          0

     
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 16241808
WMI filter is not necessary.

If the policy above is meant to fix the users that are having problems then delete it - it's causing more trouble than it's solving.

Create a new Security Group or use one that has all the users you DO NOT want this to apply to.  Add the users if a new one was created.
On the main GPO that sets this screensaver, select it under Group Policy Objects in GPMC.
On the right pane select the Delegation tab.
Click on the Advanced Button.
Click Add.
Type in the new group (or group you will use) into the search pane.
Click Check Names then OK when the correct group is shown.
Select the group you just added in the Group or usernames pane.
In the bottom pane put a checkmark in Apply Group Policy under the Deny column.

You should be done.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16241817
When you do this (to reply to your last post) - connect to the domain from an XP SP2 workstation that has the AdminPack and GPMC installed.  This will update the ADMs when you connect.

0
 
LVL 5

Author Comment

by:napoleon41
ID: 16248392
0
 
LVL 5

Author Comment

by:napoleon41
ID: 16249673
GPMC and AdminPack rock!  Wow what great tools.  Saves me having to constantly log into a server to configure things.  

So . . .

I ran group policy modeling and group policy results for a computer and user and also the laboratory OU.  All of the polices check out that the laboratory GP is in facting winning and should be being applied correctly!  The strange thing is that I manually edited the registry on all of the computers and turn off the screen saver (search for screensaveactive and set to 0) and within our alloted 15 minute window, the screen saver was back on (registry entries changed for the current user).  The domain GP is turning the policy back on for some reason or something.  Hmmmmmm.

Is it possible that the OU policy wins at login, but 15 minutes later the domain over writes it?
0
 
LVL 5

Author Comment

by:napoleon41
ID: 16249765
Ah . . . drat. . . .

One more question.  Right now we just have 1 policy at the domain level.  Netman66, I am assuming from your directions above, "On the main GPO that sets this screensaver," that you are infering that there can be more than one policy per container.  

If so, you are suggesting that I remove the screen saver settings (set them back to "not configured"?) from the "default domain policy" and create a second policy at the domain level with the setting configured in it?  (call it "screensaver").  Then set permissions to deny the dept_pharmacy security group from accessing it?  

Just confirming before I go through the work of it.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16252998
Sure can, yes.  You can have as many policies as you like on each container.  It just slows down the logon process a bit.

And, yes on the second question.

Turn the screensave setting in the Default Domain Policy off (toggle it to the opposite of what it is now).  Let it apply.

Create and link a new GPO at the domain level with just the screensaver settings.  Follow my directions above to set security on the policy.  This is referred to as Filtering.  If you have to Filter too much, then this indicates poor AD architecture.

Keep us posted.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16253012
Oh...if the Lab GPO is trying to "undo" the Default Domain Policy's screensaver - remove it.  It's probably interfering with things we are trying to accomplish.

0
 
LVL 5

Author Comment

by:napoleon41
ID: 16258297
Worked like a charm.  Thanks for your help!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

575 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question