Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Reset Screen Saver Group Policy - Server 2008

Posted on 2009-05-04
10
Medium Priority
?
7,625 Views
Last Modified: 2012-05-06
Hello Everyone,

   I have a small network on which various Group Policies are enforced to provide for specific security and functionality settings. One of these settings is that the screen saver should be enabled, and lock the workstation after 30 minutes. This works beautifully on all of our machines, and causes the options in the Screen Saver tab of the Display Settings to be greyed out. I have one machine that I would like to have allowed to change the screen saver options in this tab. I've placed it in its own OU and block policy inheritance, linking only the policies that don't enforce the screen saver settings.

   Despite there no longer being an enforced policy regarding screen saver settings for this machine, the settings in the Screen Saver tab remain greyed out. Is there a way to reset the Group Policy settings on this particular Server 2008 machine, or at least re-enable the Screen Saver configuration options? Any assistance would be greatly appreciated. Thanks!

Best Regards,
Martin Schultz
0
Comment
Question by:WideAreaMedia
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 2000 total points
ID: 24297166

The screensaver settings are set in the 'User Configuration' section of a GPO, and therefore apply to the User objects in the domain, not the computer objects. Moving the computer object around and blocking inheritence to that object will have no effect, since it is the user account which is logging in which the policy is applying to.

The only way you can work around this is to move the users who will need the ability to change Screen Saver settings into their own OU out of scope of the GPO (either Block Inheritance or adjust your OU structure so they don't inherit the OU). This will, however, give them access to change their screen saver wherever they go.

The other approach in some cases would be to disable the restriction just on this one server by creating a new GPO on the server's OU, overriding the screen saver settings to 'Disabled' and then enabling Loopback. The problem here is this will simply do the opposite and turn off the screen saver; it won't enable you to unlock the settings so changes can be made.

-Matt
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297187
What you can try is move the machine account to an OU without any Screen Saver GPO being linked to then logon and run gpupdate /force to refresh the GPO and verify the setting that you can adjust. Then move this machine object back to the OU where you definitely have block inheritance inplaced.  
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24297210
How are you setting the screen saver group policy?
Is it through
User Configuration | Administrative Templates | Control Panel | Display
If it is then it will affect the user logging in not the computer
You could use security filtering (more on that in link below) to exclude a user from the GPO and test
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24297239

Americom,

Screen Saver GPOs do not tattoo - they are set in the HKCU\Software\Policies and will therefore be removed when the policy does not apply.

The problem here is because the Screen Saver settings are set in the USER configuration section, yet the user is attempting to block inheritance to the COMPUTER object. In doing this, only the settings in the 'Computer Configuration' section of inherited GPOs will be blocked; not the policies applying to the user object.

WideAreaMedia,

Whilst typing that I just had a thought about making this work on a per-computer basis. I'm not too sure if it will work and don't have access to my test environment to try it out, so don't get your hopes up.

Remove the screen saver setting from the current GPO and apply it to a GPO which is linked to all your Computers, rather than User Accounts. Then enable Loopback Processing in 'Merge' mode as per: http://support.microsoft.com/kb/231287. (I would set that in a Global Policy at the root of the domain).

In doing this, in theory, blocking the inheritance on the OU for one particular server will block the screen saver setting applying down to it, but only for users on that particular server. The same user logging into another machine should be restricted again.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24297253

Mike,

The user is trying to exclude it applying to a PC, not a specific user :)

I think the approach at the end of my last comment will work but also make it more effective, because it saves having to define a specific computer account in Security Filtering.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24297304
Loopback does work, but I just rarely use it (mainly for our TS boxes).  Hopefully only admins log into 2008 server, I'd exclude them
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297384
If the use use loopback, then it will work as the use so far mention all about machines and not users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24297406
Also, even if it's being configued on the users and link to OU with users account, I have seen it that when the GPO is removed, the settings still not removed, even after gpudate. It just screen save GPO, it shouldn't but I have seen it and one time I even have to run gpedit.msc locally on the machine to reset it.
0
 
LVL 1

Author Closing Comment

by:WideAreaMedia
ID: 31577626
Tigermatt,

   Thank you for the quick reply. This solution works for us, as we simply created a special, limited account that can log on to this machine only. I tweaked the Security Filtering so the screen saver policy wouldn't apply to the special account.
0
 
LVL 1

Author Comment

by:WideAreaMedia
ID: 24304612
Thanks to everyone for the comments - understanding this particular functionality of Group Policy will be very valuable in the future.

Best Regards,
Martin
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question