GPO's are not apply like I expect them too.

I have a 2003 SP1 AD. I have settings in the default domain policy GPO to active a password protected screensaver after 45 mins. of inactivity. And I also have it set to force log off when logon hours expire. I have the logon hours set in AD under everyones user properties. None of these settings are working. I did a gpupdate on my PC and it shows the default domain policy has bee applied but its not working.

Any idea would be appreciated.
bankadminAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
lscapaConnect With a Mentor Commented:
for the screen saver you must at least have the following set:
Screen Saver: Enabled
Screen Saver executable name: logon.scr (you can pick which ever one you want but this is a good one to use for testing)
Password Protect the screen saver: Enabled
Screen Saver Timeout: (Default is 15 minutes... in seconds)
 
0
 
lscapaCommented:
First off you probebly don't want this in your Default Domain Policy. Usually this is reserved for security related policies that will affect your entire domain. Best option is to remove the settings and create a new group policy either at the root of the domain or better yet at the root of your Users OU, and set them here. Second disable the computer side (this speeds up processing and your gpresult is cleaner) then make sure you select a screensaver file to use... after that if it still doesn't apply post the results fo your gpresult.
0
 
bankadminAuthor Commented:
disable the computer side?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
lscapaCommented:
Not on your default domain policy...
You would need to create a new GP. the screen saver policy is set on the user configuration.
0
 
bankadminAuthor Commented:
So I added the password protect settings to an existing user OU. I added the force logoff when logon time expires to an existing workstation OU. I will let it test overnight and let you know how it goes. Thanks for the advice..
0
 
bankadminAuthor Commented:
Its still not working I checked GP result and the GPO is being applied and the GPO is linked to the user group but the screensaver is not working... Any ideas?
0
 
lscapaCommented:
post the results from a client of the following so we can see the policy structure.
GPRESULT /v > gp5.txt & gp.txt
0
 
bankadminAuthor Commented:
All 4 settings have been configured. Attached is the results you requested. I have removed some info from there like user names and domain names.

Thanks
gp5.txt
0
 
lscapaCommented:
What is the name of the GPO with the screen saver settings configured?
0
 
lscapaConnect With a Mentor Commented:
The applied screen saver settings are not getting applied to this user. You should see something like this under the user section if the screen saver was actually set:
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeout
Make sure you don't have "Block Inheritance" turned on anywhere in your OU path to the user location.
0
 
bankadminAuthor Commented:
Our domain isnt overly complicated bacically it has the domain with all the OU's underneth it.  And I dont see any block inheritance enabled anywhere.
0
 
lscapaCommented:
There's only a few  ways a GP won't get applied.
1. Block Policy Inheritance is enabled on a upper OU.
2. Domain Replication is failing to a remote site thus the policy file is not available.
3. Group Policy is not linked to a OU in the direct path of the object that needs to apply it.
4. User or object does not have rights to read/apply the policy (this can be checked via GPMC once the policy is highlighted, in the right hand pane there is a security tab. Make sure Authenticated users have read/apply rights.
0
 
lscapaCommented:
Forgot to mention:
 
#1 and #4 are highly unlikley since these would still show up as either BLOCKED or DENIED...
0
 
bankadminAuthor Commented:
I checked and authenticated users do have rights to it. It is linked to the correct OU. There is no block inheritance anywhere. So I guess that leaves Domain Replicationis failing. But when I do a gpresut it shows. Any more ideas you may have on this would be greatly appreciate Im not sure where or what to check next.
0
 
lscapaCommented:
The GP result that was posted is NOT showing the entries for a screen saver policy what gpresult are you referring? Th posted is missing the above key that I posted. What is the name of the Group Policy that has your screen saver policies set?
0
 
bankadminAuthor Commented:
delete temp internet
0
 
bankadminAuthor Commented:
when I do a gpresult  delete temp internet shows under Applied Group policy objects
0
 
lscapaCommented:
Ok Yes the template is listed but not the screen saver settings. This section:
Administrative Templates
        ------------------------
            GPO: WSUSWorkstationPolicy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   disabled

            GPO: WSUSWorkstationPolicy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: WSUSWorkstationPolicy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: delete temp internet
                Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
                State:   Enabled

            GPO: WSUSWorkstationPolicy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled


Should also have a key that looks like:
 
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeout
Your's doesn't. Can you export the policy (not the gpresult) from GPMC and post?
0
 
bankadminAuthor Commented:
I will tomorrow Im leaving the office for the day. Thanks for your continued suggestions and I will post that tomorrow
0
 
bankadminAuthor Commented:
I didnt want to put the complete HTML file out there becuase it has to much info about specifice from our domain that shouldnt matter anyways so I copied and pasted the relitive output below. If this is not what your looking for let me know.

Policy Setting
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name logon.scr
 
Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
 
Seconds: 2700
 

Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Policy Setting
Empty Temporary Internet Files folder when browser is closed Enabled
0
 
lscapaCommented:
Nope. You need to post the whole thing. There is nothing in the GPO that would be considered to be security related (no pw or user names or IP address etc.) Please post the WHOLE output you can remove your domain name and group names and replace them with generic group1 group2 ect... But we need to see the security part esp. Also please post the OU org from top to where  the users sit and include a list of GPO's. Have you verified there is no errors on the DC's for replication?
0
 
bankadminAuthor Commented:
Sorry about the delay I was on vacation this week and just got back I will post the whole thing
0
 
bankadminAuthor Commented:
I hope this is what your refering to if not let me know.. you will have to change the file to a .htm to view it correctly.
delete-temp-internet.txt
0
 
bankadminAuthor Commented:
Is that the file you were looking for?
0
 
bankadminAuthor Commented:
Sorry about the slow response after I got it working I just plain forgot to let you know what happened. I found a couple of GPO's were conflicting with each other.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.