Screen Saver Lockput GPO

I created a screensaver lockout GPO for all users which works fine. But I have a seperate OU with computer accounts in it that I dont want the screen saver policy applied to.

How can I make sure that any user who logs into these computers will not have the screen saver policy applied? I also need the current policies to that computer OU to be applied as usual with no interference.

I read about loopback policy but I'm not sure how to create/edit it and with what options. How can I accomplish this?
Thanks!
LVL 7
tolinromeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

x3manCommented:
Make a security group for the computers that you want the screensaver settings to apply to and add the computers. Then click on the screensaver policy in Group Policy management Console, look on scope tab and under security filtering remove all groups and only add the security group you created.
x3manCommented:
Sorry scrap what I just said. The policy is a user setting not a computer setting so you should use loopback settings as you said. Create a loopback policy (http://support.microsoft.com/kb/231287) with the screensaver settings disabled and select merge or replace mode depending on whether you want existing user settings to be applied also. Attach this policy to the OU with the computer you want to be excluded.
TarekIsmailCommented:
Hi,

create new GPO and assign it to your computer OU , and configure the required policy for screen saver or anything else you need

in this GPO , go to computer, policies, administrative templates, system, group policy, them choose
User Group Policy loopback processing mode
and choose Replace
so the policy applied to the computer account will always replace any GPO applied to the user logon to the computer.
please check the attached screen

SNAG-0002.jpg
SNAG-0003.jpg
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Adam BrownSr Solutions ArchitectCommented:
Just as a note, setting the loopback policy to replace settings on logon to a specific set of computers will remove *all* user policies when users log on to those computers. If you want the screen saver policy to apply to some, but not all, computers, you'll want to set loopback policy on the GPO that is deploying the screensaver settings and set up Loopback policy to merge changes (This will allow all other user policies to continue operating normally). Once that's done, set up a security group with the computers that you want to apply the policy in it. Filter the GPO with that security group and link the GPO to all of the OUs where the computers are located. That's only one way to do it.

The other option is to build a second GPO that disables the screensaver lockout. Apply that to the OU where the computers that you don't want the screensaver lockout on are located and modify the processing order to that policy is first in the list (if you have the computers that need no lockout in the same OU as computers than need lockout, build a security group with the computers that don't need it and filter the policy with that group).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tolinromeAuthor Commented:
Ok, so this is what I did. I created a gpo for screen saver lockout and applied it to the users OU - it works fine. But as mentioned I do not want this policy applied to certain computers in a seperate OU (the server OU when IT logs into them).

So, as told above, I created another gpo and enabled the group policy loopback processing mode and assigned it to the Server OU.

1. Since I want all other gpo's on this OU not to be interfeered with and no screen saver lockout on it I chose Replace mode as tarekIsmail mentioned (I thought merge mode). I'm confused about that - (I want everything to work as currently just no screen saver lockout when the IT people log into the servers). None the less I chose Replace mode as you mentioned.

2. In this gpo you said (x3man) to also disable the screen saver setting, if I do this then the screen savers on the servers wont run, it also disables the screen saver tab, I dont want that.

I'm confused on how to configure the gpo policy on the server OU for the screen saver settings.
Adam BrownSr Solutions ArchitectCommented:
You want to disable the policy to Password Protect the Screensaver. I would highly recommend the merge setting rather than replace for loopback. With what you have, you then need to set up the policy to be processed last (put it as number one in the processing order list).

x3manCommented:
As acbrown suggests, use the merge mode. This will allow other user settings to be applied, but where there are differences the loopback policy settings will be applied. You don't have to disable the screensaver settings if you don't want. You can choose whatever settings you would like to be applied.
tolinromeAuthor Commented:
Ok, let me strat over since I'm confused now.....

1. I created a gpo on the users ou that enables screen saver lockout and it works fine.

2. I created another gpo on the servers ou and I enabled loopback with merge mode, (computer configuration) and password protect the screen saver is disabled under (user configuration).

Is this correct?

Adam BrownSr Solutions ArchitectCommented:
Yes, that should do it for you.
tolinromeAuthor Commented:
Ok, unfortunately somethings not right.

1. I created a test ou under servers and put a server in it and linked the gpo with the loopback policy on it (merge mode, password protect screen saver is disabled).

2. I created a test ou under users with my user account in it and applied the gpo with the screen saver lockout settings on it.

now, on my local computer the screensaver gpo doesnt apply but when I'm logged onto the server the screeen saver password lockout comes on after the time specified.

I did gpupdate on dc and client.

tolinromeAuthor Commented:
nevermind.......
x3manCommented:
This is correct:

"1. I created a gpo on the users ou that enables screen saver lockout and it works fine.

2. I created another gpo on the servers ou and I enabled loopback with merge mode, (computer configuration) and password protect the screen saver is disabled under (user configuration)."

If it isn't working check that the settings are actually as described here.
TarekIsmailCommented:
yes , this is correct and recommend to use merge setting not replace
tolinromeAuthor Commented:
Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.