Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7659
  • Last Modified:

Reset Screen Saver Group Policy - Server 2008

Hello Everyone,

   I have a small network on which various Group Policies are enforced to provide for specific security and functionality settings. One of these settings is that the screen saver should be enabled, and lock the workstation after 30 minutes. This works beautifully on all of our machines, and causes the options in the Screen Saver tab of the Display Settings to be greyed out. I have one machine that I would like to have allowed to change the screen saver options in this tab. I've placed it in its own OU and block policy inheritance, linking only the policies that don't enforce the screen saver settings.

   Despite there no longer being an enforced policy regarding screen saver settings for this machine, the settings in the Screen Saver tab remain greyed out. Is there a way to reset the Group Policy settings on this particular Server 2008 machine, or at least re-enable the Screen Saver configuration options? Any assistance would be greatly appreciated. Thanks!

Best Regards,
Martin Schultz
0
WideAreaMedia
Asked:
WideAreaMedia
  • 3
  • 3
  • 2
  • +1
1 Solution
 
tigermattCommented:

The screensaver settings are set in the 'User Configuration' section of a GPO, and therefore apply to the User objects in the domain, not the computer objects. Moving the computer object around and blocking inheritence to that object will have no effect, since it is the user account which is logging in which the policy is applying to.

The only way you can work around this is to move the users who will need the ability to change Screen Saver settings into their own OU out of scope of the GPO (either Block Inheritance or adjust your OU structure so they don't inherit the OU). This will, however, give them access to change their screen saver wherever they go.

The other approach in some cases would be to disable the restriction just on this one server by creating a new GPO on the server's OU, overriding the screen saver settings to 'Disabled' and then enabling Loopback. The problem here is this will simply do the opposite and turn off the screen saver; it won't enable you to unlock the settings so changes can be made.

-Matt
0
 
AmericomCommented:
What you can try is move the machine account to an OU without any Screen Saver GPO being linked to then logon and run gpupdate /force to refresh the GPO and verify the setting that you can adjust. Then move this machine object back to the OU where you definitely have block inheritance inplaced.  
0
 
Mike KlineCommented:
How are you setting the screen saver group policy?
Is it through
User Configuration | Administrative Templates | Control Panel | Display
If it is then it will affect the user logging in not the computer
You could use security filtering (more on that in link below) to exclude a user from the GPO and test
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
tigermattCommented:

Americom,

Screen Saver GPOs do not tattoo - they are set in the HKCU\Software\Policies and will therefore be removed when the policy does not apply.

The problem here is because the Screen Saver settings are set in the USER configuration section, yet the user is attempting to block inheritance to the COMPUTER object. In doing this, only the settings in the 'Computer Configuration' section of inherited GPOs will be blocked; not the policies applying to the user object.

WideAreaMedia,

Whilst typing that I just had a thought about making this work on a per-computer basis. I'm not too sure if it will work and don't have access to my test environment to try it out, so don't get your hopes up.

Remove the screen saver setting from the current GPO and apply it to a GPO which is linked to all your Computers, rather than User Accounts. Then enable Loopback Processing in 'Merge' mode as per: http://support.microsoft.com/kb/231287. (I would set that in a Global Policy at the root of the domain).

In doing this, in theory, blocking the inheritance on the OU for one particular server will block the screen saver setting applying down to it, but only for users on that particular server. The same user logging into another machine should be restricted again.

-Matt
0
 
tigermattCommented:

Mike,

The user is trying to exclude it applying to a PC, not a specific user :)

I think the approach at the end of my last comment will work but also make it more effective, because it saves having to define a specific computer account in Security Filtering.
0
 
Mike KlineCommented:
Loopback does work, but I just rarely use it (mainly for our TS boxes).  Hopefully only admins log into 2008 server, I'd exclude them
0
 
AmericomCommented:
If the use use loopback, then it will work as the use so far mention all about machines and not users.
0
 
AmericomCommented:
Also, even if it's being configued on the users and link to OU with users account, I have seen it that when the GPO is removed, the settings still not removed, even after gpudate. It just screen save GPO, it shouldn't but I have seen it and one time I even have to run gpedit.msc locally on the machine to reset it.
0
 
WideAreaMediaAuthor Commented:
Tigermatt,

   Thank you for the quick reply. This solution works for us, as we simply created a special, limited account that can log on to this machine only. I tweaked the Security Filtering so the screen saver policy wouldn't apply to the special account.
0
 
WideAreaMediaAuthor Commented:
Thanks to everyone for the comments - understanding this particular functionality of Group Policy will be very valuable in the future.

Best Regards,
Martin
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now