Solved

GPO's are not apply like I expect them too.

Posted on 2008-10-08
25
230 Views
Last Modified: 2011-10-19
I have a 2003 SP1 AD. I have settings in the default domain policy GPO to active a password protected screensaver after 45 mins. of inactivity. And I also have it set to force log off when logon hours expire. I have the logon hours set in AD under everyones user properties. None of these settings are working. I did a gpupdate on my PC and it shows the default domain policy has bee applied but its not working.

Any idea would be appreciated.
0
Comment
Question by:bankadmin
  • 14
  • 11
25 Comments
 
LVL 4

Expert Comment

by:lscapa
ID: 22668613
First off you probebly don't want this in your Default Domain Policy. Usually this is reserved for security related policies that will affect your entire domain. Best option is to remove the settings and create a new group policy either at the root of the domain or better yet at the root of your Users OU, and set them here. Second disable the computer side (this speeds up processing and your gpresult is cleaner) then make sure you select a screensaver file to use... after that if it still doesn't apply post the results fo your gpresult.
0
 

Author Comment

by:bankadmin
ID: 22668808
disable the computer side?
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22669037
Not on your default domain policy...
You would need to create a new GP. the screen saver policy is set on the user configuration.
0
 

Author Comment

by:bankadmin
ID: 22669928
So I added the password protect settings to an existing user OU. I added the force logoff when logon time expires to an existing workstation OU. I will let it test overnight and let you know how it goes. Thanks for the advice..
0
 

Author Comment

by:bankadmin
ID: 22678533
Its still not working I checked GP result and the GPO is being applied and the GPO is linked to the user group but the screensaver is not working... Any ideas?
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22678577
post the results from a client of the following so we can see the policy structure.
GPRESULT /v > gp5.txt & gp.txt
0
 
LVL 4

Accepted Solution

by:
lscapa earned 500 total points
ID: 22678622
for the screen saver you must at least have the following set:
Screen Saver: Enabled
Screen Saver executable name: logon.scr (you can pick which ever one you want but this is a good one to use for testing)
Password Protect the screen saver: Enabled
Screen Saver Timeout: (Default is 15 minutes... in seconds)
 
0
 

Author Comment

by:bankadmin
ID: 22678793
All 4 settings have been configured. Attached is the results you requested. I have removed some info from there like user names and domain names.

Thanks
gp5.txt
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22678820
What is the name of the GPO with the screen saver settings configured?
0
 
LVL 4

Assisted Solution

by:lscapa
lscapa earned 500 total points
ID: 22678887
The applied screen saver settings are not getting applied to this user. You should see something like this under the user section if the screen saver was actually set:
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeout
Make sure you don't have "Block Inheritance" turned on anywhere in your OU path to the user location.
0
 

Author Comment

by:bankadmin
ID: 22678939
Our domain isnt overly complicated bacically it has the domain with all the OU's underneth it.  And I dont see any block inheritance enabled anywhere.
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22679020
There's only a few  ways a GP won't get applied.
1. Block Policy Inheritance is enabled on a upper OU.
2. Domain Replication is failing to a remote site thus the policy file is not available.
3. Group Policy is not linked to a OU in the direct path of the object that needs to apply it.
4. User or object does not have rights to read/apply the policy (this can be checked via GPMC once the policy is highlighted, in the right hand pane there is a security tab. Make sure Authenticated users have read/apply rights.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Expert Comment

by:lscapa
ID: 22679039
Forgot to mention:
 
#1 and #4 are highly unlikley since these would still show up as either BLOCKED or DENIED...
0
 

Author Comment

by:bankadmin
ID: 22679160
I checked and authenticated users do have rights to it. It is linked to the correct OU. There is no block inheritance anywhere. So I guess that leaves Domain Replicationis failing. But when I do a gpresut it shows. Any more ideas you may have on this would be greatly appreciate Im not sure where or what to check next.
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22679199
The GP result that was posted is NOT showing the entries for a screen saver policy what gpresult are you referring? Th posted is missing the above key that I posted. What is the name of the Group Policy that has your screen saver policies set?
0
 

Author Comment

by:bankadmin
ID: 22679367
delete temp internet
0
 

Author Comment

by:bankadmin
ID: 22679387
when I do a gpresult  delete temp internet shows under Applied Group policy objects
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22679694
Ok Yes the template is listed but not the screen saver settings. This section:
Administrative Templates
        ------------------------
            GPO: WSUSWorkstationPolicy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   disabled

            GPO: WSUSWorkstationPolicy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: WSUSWorkstationPolicy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: delete temp internet
                Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
                State:   Enabled

            GPO: WSUSWorkstationPolicy
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled


Should also have a key that looks like:
 
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeout
Your's doesn't. Can you export the policy (not the gpresult) from GPMC and post?
0
 

Author Comment

by:bankadmin
ID: 22680926
I will tomorrow Im leaving the office for the day. Thanks for your continued suggestions and I will post that tomorrow
0
 

Author Comment

by:bankadmin
ID: 22686046
I didnt want to put the complete HTML file out there becuase it has to much info about specifice from our domain that shouldnt matter anyways so I copied and pasted the relitive output below. If this is not what your looking for let me know.

Policy Setting
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name logon.scr
 
Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
 
Seconds: 2700
 

Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Policy Setting
Empty Temporary Internet Files folder when browser is closed Enabled
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22687135
Nope. You need to post the whole thing. There is nothing in the GPO that would be considered to be security related (no pw or user names or IP address etc.) Please post the WHOLE output you can remove your domain name and group names and replace them with generic group1 group2 ect... But we need to see the security part esp. Also please post the OU org from top to where  the users sit and include a list of GPO's. Have you verified there is no errors on the DC's for replication?
0
 

Author Comment

by:bankadmin
ID: 22740289
Sorry about the delay I was on vacation this week and just got back I will post the whole thing
0
 

Author Comment

by:bankadmin
ID: 22745094
I hope this is what your refering to if not let me know.. you will have to change the file to a .htm to view it correctly.
delete-temp-internet.txt
0
 

Author Comment

by:bankadmin
ID: 22778618
Is that the file you were looking for?
0
 

Author Comment

by:bankadmin
ID: 23807345
Sorry about the slow response after I got it working I just plain forgot to let you know what happened. I found a couple of GPO's were conflicting with each other.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now