[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 830
  • Last Modified:

Overide a group policy at the local machine

We have a group policy within active directory to enable the screen saver and enforce the locking of the pc with 30 minutes.  The policy is under user configuration, admin templates, control panel/display.  The screen saver password protect is enabled, screen saver is enabled and the timeout is set to 1800 seconds.

My question is that we have one difficult employee that insists on his comptuer to not lock.  I can't seem to find a way so that his local machine will ignore this policy.  If create on his local machine group policy the policy in reverse but that does not seem to matter.  The policy is by user not machine, I've even create a different OU and put his username into it with the policy disabled with no luck either.

Does anyone have any other suggestions?

Thank you

0
jbishop2446b
Asked:
jbishop2446b
  • 3
  • 3
1 Solution
 
Sinder255248Commented:
Where is the policy that's enforcing the screensaver?  Is it at domain level and in the default domain policy?  Is this policy set to Enforce?
0
 
jbishop2446bAuthor Commented:
Hi there- the policy is at the domain level, I also tried putting it directly into an indvidual OU.  I did have it set to link enabled and enforced.  Should it just be link enabled?

Thank you for your help
0
 
snusgubbenCommented:
Put the user in an individual OU, make a policy that disable password protection on screen saver that you link to this OU, block inheritence (and use Enforce/no-override on the policy).
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
jbishop2446bAuthor Commented:
How do you block inheritence? When I click on the OU, then the Group Policy Inheritance tab it shows the new policy and the defailt domain policy (which is ok, doesn't contain the policy for screen locking).
0
 
snusgubbenCommented:
Right click the OU and select Properties
Select the 'Group Policy' tab for the new policy
Check the 'Block Policy inheritance' option
0
 
jbishop2446bAuthor Commented:
Thank you! I've made these changes and will report back to you the result!
Other than the obvious, what is difference between having a policy "enforced" checked on/off.  It seems like even if they're not "enforced" they're still active.
0
 
snusgubbenCommented:
enforced enabled means that you make sure the policy is not override by an other policy that are processed at a later "stage". The policies are processed in this order: Local GPO - Site - Domain - OU

If you set a policy at the domain level saying "disable Run from startmenu" but has a policy at OU level saying "enable Run from startmenu". The user in the OU will see Run in his start menu. If you set Enforced at the policy at domain level it will take precedense over the OU policy and the user will not see Run in start menu.


SG
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now