Solved

Reset Screen Saver Group Policy - Server 2008

Posted on 2009-05-04
10
7,458 Views
Last Modified: 2012-05-06
Hello Everyone,

   I have a small network on which various Group Policies are enforced to provide for specific security and functionality settings. One of these settings is that the screen saver should be enabled, and lock the workstation after 30 minutes. This works beautifully on all of our machines, and causes the options in the Screen Saver tab of the Display Settings to be greyed out. I have one machine that I would like to have allowed to change the screen saver options in this tab. I've placed it in its own OU and block policy inheritance, linking only the policies that don't enforce the screen saver settings.

   Despite there no longer being an enforced policy regarding screen saver settings for this machine, the settings in the Screen Saver tab remain greyed out. Is there a way to reset the Group Policy settings on this particular Server 2008 machine, or at least re-enable the Screen Saver configuration options? Any assistance would be greatly appreciated. Thanks!

Best Regards,
Martin Schultz
0
Comment
Question by:WideAreaMedia
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24297166

The screensaver settings are set in the 'User Configuration' section of a GPO, and therefore apply to the User objects in the domain, not the computer objects. Moving the computer object around and blocking inheritence to that object will have no effect, since it is the user account which is logging in which the policy is applying to.

The only way you can work around this is to move the users who will need the ability to change Screen Saver settings into their own OU out of scope of the GPO (either Block Inheritance or adjust your OU structure so they don't inherit the OU). This will, however, give them access to change their screen saver wherever they go.

The other approach in some cases would be to disable the restriction just on this one server by creating a new GPO on the server's OU, overriding the screen saver settings to 'Disabled' and then enabling Loopback. The problem here is this will simply do the opposite and turn off the screen saver; it won't enable you to unlock the settings so changes can be made.

-Matt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297187
What you can try is move the machine account to an OU without any Screen Saver GPO being linked to then logon and run gpupdate /force to refresh the GPO and verify the setting that you can adjust. Then move this machine object back to the OU where you definitely have block inheritance inplaced.  
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24297210
How are you setting the screen saver group policy?
Is it through
User Configuration | Administrative Templates | Control Panel | Display
If it is then it will affect the user logging in not the computer
You could use security filtering (more on that in link below) to exclude a user from the GPO and test
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24297239

Americom,

Screen Saver GPOs do not tattoo - they are set in the HKCU\Software\Policies and will therefore be removed when the policy does not apply.

The problem here is because the Screen Saver settings are set in the USER configuration section, yet the user is attempting to block inheritance to the COMPUTER object. In doing this, only the settings in the 'Computer Configuration' section of inherited GPOs will be blocked; not the policies applying to the user object.

WideAreaMedia,

Whilst typing that I just had a thought about making this work on a per-computer basis. I'm not too sure if it will work and don't have access to my test environment to try it out, so don't get your hopes up.

Remove the screen saver setting from the current GPO and apply it to a GPO which is linked to all your Computers, rather than User Accounts. Then enable Loopback Processing in 'Merge' mode as per: http://support.microsoft.com/kb/231287. (I would set that in a Global Policy at the root of the domain).

In doing this, in theory, blocking the inheritance on the OU for one particular server will block the screen saver setting applying down to it, but only for users on that particular server. The same user logging into another machine should be restricted again.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24297253

Mike,

The user is trying to exclude it applying to a PC, not a specific user :)

I think the approach at the end of my last comment will work but also make it more effective, because it saves having to define a specific computer account in Security Filtering.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 57

Expert Comment

by:Mike Kline
ID: 24297304
Loopback does work, but I just rarely use it (mainly for our TS boxes).  Hopefully only admins log into 2008 server, I'd exclude them
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297384
If the use use loopback, then it will work as the use so far mention all about machines and not users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297406
Also, even if it's being configued on the users and link to OU with users account, I have seen it that when the GPO is removed, the settings still not removed, even after gpudate. It just screen save GPO, it shouldn't but I have seen it and one time I even have to run gpedit.msc locally on the machine to reset it.
0
 
LVL 1

Author Closing Comment

by:WideAreaMedia
ID: 31577626
Tigermatt,

   Thank you for the quick reply. This solution works for us, as we simply created a special, limited account that can log on to this machine only. I tweaked the Security Filtering so the screen saver policy wouldn't apply to the special account.
0
 
LVL 1

Author Comment

by:WideAreaMedia
ID: 24304612
Thanks to everyone for the comments - understanding this particular functionality of Group Policy will be very valuable in the future.

Best Regards,
Martin
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now