Group Policy inconsistencies

Our network consists of 7 domain controllers which carry out various functions at 3 sites.  Main network consists of 1 subnet as all are tied together via high-speed links (100mb) and so there are no site-links.  Just straight AD replication.

All of our users are grouped within various nested OU's following the convention: DOMAIN-->{Site}-->[Department]-->users.  That should be enough setup.

Thanks to some wonderful intentions (of a committee. -lol), we have created a screensaver that launches organization wide to display our corporate goals and such.  Unfortunately this interferes with our laboratory department as they cannot see orders flash on the screen when the screen saver is up, and we need to override the screen saver policy for that OU (department).  So far, we have been unsuccessful making this happen.  Here is our current Group Policy setup for this situation.

Policy                                     Setting

Group Policy refresh interval for computers                   Enabled
      Minutes:                               15
Group Policy refresh interval for domain controllers                       Enabled
      Minutes:                               1
Registry policy processing                         Enabled
Do not apply during periodic background processing                       Disabled
Process even if the Group Policy objects have not changed       Enabled
Security policy processing                         Enabled
Do not apply during periodic background processing                       Disabled
Process even if the Group Policy objects have not changed       Enabled
User Group Policy loopback processing mode             Enabled
      Mode:                               Replace

Policy                                     Setting

System/Group Policy
Group Policy domain controller selection                   Enabled
When Group Policy Object Editor is selecting
     a domain controller to use, it should:                   Use the Primary DC
Group Policy refresh interval for users                   Enabled
      Minutes:                               15

Control Panel/Display
Policy                                     Setting
Password protect the screen saver                   Disabled
Screen Saver                               Enabled
Screen Saver executable name                         Enabled
Screen Saver executable name                                                       \\server\share1\users\common\folder\focus.exe
Screen Saver timeout                         Enabled
      Seconds:                               900

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

napoleon41Author Commented:
Figured I would break this up a bit.  Here is the configuration we set for the Laboratory OU.

USER CONFIGURATION-->Administrative Templates
Control Panel/Display

Policy                               Setting
Hide Desktop tab                   Disabled
Hide Screen Saver tab                   Disabled
Hide Settings tab                   Disabled
Password protect the screen saver       Disabled
Screen Saver                         Disabled
Screen Saver executable name             Disabled
Screen Saver timeout                   Enabled
Number of seconds to wait to enable the Screen Saver
       Seconds:                   0
First off, where is this policy linked?

Secondly, why have you enabled Loopback Processing?

Lastly, the users in that department simply need to be placed into a Security Group then added to the ACL of the GPO directly.  Check the Apply Group Policy under DENY.  Hopefully, this Screensaver is in it's own policy, otherwise everything else under the User Config in that policy will not apply.

napoleon41Author Commented:
Yes, the laboratory police is enabled.  It is also set to be enforced.

For the person(s) who figure this out: you have my undying love . . . . er . . . appreciation that is.  This has absolutely driven me insane (as has the constant "status" requests of the sqeaky-wheel laboratory department).  

Here's hoping that this issue makes sense to someone.  
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

napoleon41Author Commented:
Loopback:  argg.  Who knows why.  Turned it off.  Too many admins trying to fix this problem.  Even after reading the discription twice, I am not sure how you would make this functional.  Put the computer account in an OU with users?  Very wierd

Linking: Both are linked to <none> in the WMI filtering option.  
     Did some research on what this is, but didn't really find a good answer.  What is a WMI filter?

napoleon41Author Commented:
One more thing.  Under the Computer side of GP, I have the following entries that I cannot seem to track down.

Extra Registry Settingshide
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting                                                                                                                                  State
Software\Microsoft\Windows\CurrentVersion\Policies\System\SynchronousMachineGroupPolicy     0
Software\Microsoft\Windows\CurrentVersion\Policies\System\SynchronousUserGroupPolicy          0

WMI filter is not necessary.

If the policy above is meant to fix the users that are having problems then delete it - it's causing more trouble than it's solving.

Create a new Security Group or use one that has all the users you DO NOT want this to apply to.  Add the users if a new one was created.
On the main GPO that sets this screensaver, select it under Group Policy Objects in GPMC.
On the right pane select the Delegation tab.
Click on the Advanced Button.
Click Add.
Type in the new group (or group you will use) into the search pane.
Click Check Names then OK when the correct group is shown.
Select the group you just added in the Group or usernames pane.
In the bottom pane put a checkmark in Apply Group Policy under the Deny column.

You should be done.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
When you do this (to reply to your last post) - connect to the domain from an XP SP2 workstation that has the AdminPack and GPMC installed.  This will update the ADMs when you connect.

napoleon41Author Commented:
napoleon41Author Commented:
GPMC and AdminPack rock!  Wow what great tools.  Saves me having to constantly log into a server to configure things.  

So . . .

I ran group policy modeling and group policy results for a computer and user and also the laboratory OU.  All of the polices check out that the laboratory GP is in facting winning and should be being applied correctly!  The strange thing is that I manually edited the registry on all of the computers and turn off the screen saver (search for screensaveactive and set to 0) and within our alloted 15 minute window, the screen saver was back on (registry entries changed for the current user).  The domain GP is turning the policy back on for some reason or something.  Hmmmmmm.

Is it possible that the OU policy wins at login, but 15 minutes later the domain over writes it?
napoleon41Author Commented:
Ah . . . drat. . . .

One more question.  Right now we just have 1 policy at the domain level.  Netman66, I am assuming from your directions above, "On the main GPO that sets this screensaver," that you are infering that there can be more than one policy per container.  

If so, you are suggesting that I remove the screen saver settings (set them back to "not configured"?) from the "default domain policy" and create a second policy at the domain level with the setting configured in it?  (call it "screensaver").  Then set permissions to deny the dept_pharmacy security group from accessing it?  

Just confirming before I go through the work of it.
Sure can, yes.  You can have as many policies as you like on each container.  It just slows down the logon process a bit.

And, yes on the second question.

Turn the screensave setting in the Default Domain Policy off (toggle it to the opposite of what it is now).  Let it apply.

Create and link a new GPO at the domain level with just the screensaver settings.  Follow my directions above to set security on the policy.  This is referred to as Filtering.  If you have to Filter too much, then this indicates poor AD architecture.

Keep us posted.
Oh...if the Lab GPO is trying to "undo" the Default Domain Policy's screensaver - remove it.  It's probably interfering with things we are trying to accomplish.

napoleon41Author Commented:
Worked like a charm.  Thanks for your help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.