Link to home
Start Free TrialLog in
Avatar of ArkAdmin
ArkAdminFlag for United States of America

asked on

How to create logoff policy in Group Policy Management

I'm trying to create a logoff policy as described here...
http://support.microsoft.com/?kbid=198642
However I am using the SBS 2003 Group Policy Management Console and the instructions for Windows 2000 don't seem relevant.
Where do I drill down in the GPMC in order to find and edit the logoff script?
Thanks.
Avatar of sk_raja_raja
sk_raja_raja
1.If you want to do it by number of inactivity hours, then you must use the WinExit.scr Screen Saver... which CAN be configured by Group Policy.  http:Q_21566165.html

2.Here's another reference which is more specific to SBS:  http://msmvps.com/blogs/kwsupport/archive/2004/09/01/12709.aspx

3.to be a bit more specific, look at this comment:  http:Q_21566165.html#14913265

4.You can use the "loopback" processing of group policies for that.
a. In the "Public WS" OU, create a new GPO named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better).
b. Now create your additional GPO(s) for your users in this OU; especially the screen saver setting ... If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to the public workstation. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your "Public WS" GPO.
Note that you do (or "may") *not* need to put the users in (or below) the "Public WS" OU. New GPOs in that OU will be applied to *all* users logging on to that machine, even though those users are not in/below the public WS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only the "Public WS"): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply" and "Read" permission for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

5.
ASKER CERTIFIED SOLUTION
Avatar of Jerrod_W
Jerrod_W
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial