Solved

Reset Screen Saver Group Policy - Server 2008

Posted on 2009-05-04
10
7,556 Views
Last Modified: 2012-05-06
Hello Everyone,

   I have a small network on which various Group Policies are enforced to provide for specific security and functionality settings. One of these settings is that the screen saver should be enabled, and lock the workstation after 30 minutes. This works beautifully on all of our machines, and causes the options in the Screen Saver tab of the Display Settings to be greyed out. I have one machine that I would like to have allowed to change the screen saver options in this tab. I've placed it in its own OU and block policy inheritance, linking only the policies that don't enforce the screen saver settings.

   Despite there no longer being an enforced policy regarding screen saver settings for this machine, the settings in the Screen Saver tab remain greyed out. Is there a way to reset the Group Policy settings on this particular Server 2008 machine, or at least re-enable the Screen Saver configuration options? Any assistance would be greatly appreciated. Thanks!

Best Regards,
Martin Schultz
0
Comment
Question by:WideAreaMedia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24297166

The screensaver settings are set in the 'User Configuration' section of a GPO, and therefore apply to the User objects in the domain, not the computer objects. Moving the computer object around and blocking inheritence to that object will have no effect, since it is the user account which is logging in which the policy is applying to.

The only way you can work around this is to move the users who will need the ability to change Screen Saver settings into their own OU out of scope of the GPO (either Block Inheritance or adjust your OU structure so they don't inherit the OU). This will, however, give them access to change their screen saver wherever they go.

The other approach in some cases would be to disable the restriction just on this one server by creating a new GPO on the server's OU, overriding the screen saver settings to 'Disabled' and then enabling Loopback. The problem here is this will simply do the opposite and turn off the screen saver; it won't enable you to unlock the settings so changes can be made.

-Matt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297187
What you can try is move the machine account to an OU without any Screen Saver GPO being linked to then logon and run gpupdate /force to refresh the GPO and verify the setting that you can adjust. Then move this machine object back to the OU where you definitely have block inheritance inplaced.  
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24297210
How are you setting the screen saver group policy?
Is it through
User Configuration | Administrative Templates | Control Panel | Display
If it is then it will affect the user logging in not the computer
You could use security filtering (more on that in link below) to exclude a user from the GPO and test
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 58

Expert Comment

by:tigermatt
ID: 24297239

Americom,

Screen Saver GPOs do not tattoo - they are set in the HKCU\Software\Policies and will therefore be removed when the policy does not apply.

The problem here is because the Screen Saver settings are set in the USER configuration section, yet the user is attempting to block inheritance to the COMPUTER object. In doing this, only the settings in the 'Computer Configuration' section of inherited GPOs will be blocked; not the policies applying to the user object.

WideAreaMedia,

Whilst typing that I just had a thought about making this work on a per-computer basis. I'm not too sure if it will work and don't have access to my test environment to try it out, so don't get your hopes up.

Remove the screen saver setting from the current GPO and apply it to a GPO which is linked to all your Computers, rather than User Accounts. Then enable Loopback Processing in 'Merge' mode as per: http://support.microsoft.com/kb/231287. (I would set that in a Global Policy at the root of the domain).

In doing this, in theory, blocking the inheritance on the OU for one particular server will block the screen saver setting applying down to it, but only for users on that particular server. The same user logging into another machine should be restricted again.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24297253

Mike,

The user is trying to exclude it applying to a PC, not a specific user :)

I think the approach at the end of my last comment will work but also make it more effective, because it saves having to define a specific computer account in Security Filtering.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24297304
Loopback does work, but I just rarely use it (mainly for our TS boxes).  Hopefully only admins log into 2008 server, I'd exclude them
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297384
If the use use loopback, then it will work as the use so far mention all about machines and not users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297406
Also, even if it's being configued on the users and link to OU with users account, I have seen it that when the GPO is removed, the settings still not removed, even after gpudate. It just screen save GPO, it shouldn't but I have seen it and one time I even have to run gpedit.msc locally on the machine to reset it.
0
 
LVL 1

Author Closing Comment

by:WideAreaMedia
ID: 31577626
Tigermatt,

   Thank you for the quick reply. This solution works for us, as we simply created a special, limited account that can log on to this machine only. I tweaked the Security Filtering so the screen saver policy wouldn't apply to the special account.
0
 
LVL 1

Author Comment

by:WideAreaMedia
ID: 24304612
Thanks to everyone for the comments - understanding this particular functionality of Group Policy will be very valuable in the future.

Best Regards,
Martin
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question