?
Solved

Screen Saver Lockput GPO

Posted on 2010-09-24
14
Medium Priority
?
1,087 Views
Last Modified: 2012-05-10
I created a screensaver lockout GPO for all users which works fine. But I have a seperate OU with computer accounts in it that I dont want the screen saver policy applied to.

How can I make sure that any user who logs into these computers will not have the screen saver policy applied? I also need the current policies to that computer OU to be applied as usual with no interference.

I read about loopback policy but I'm not sure how to create/edit it and with what options. How can I accomplish this?
Thanks!
0
Comment
Question by:tolinrome
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 9

Expert Comment

by:x3man
ID: 33754975
Make a security group for the computers that you want the screensaver settings to apply to and add the computers. Then click on the screensaver policy in Group Policy management Console, look on scope tab and under security filtering remove all groups and only add the security group you created.
0
 
LVL 9

Assisted Solution

by:x3man
x3man earned 400 total points
ID: 33755069
Sorry scrap what I just said. The policy is a user setting not a computer setting so you should use loopback settings as you said. Create a loopback policy (http://support.microsoft.com/kb/231287) with the screensaver settings disabled and select merge or replace mode depending on whether you want existing user settings to be applied also. Attach this policy to the OU with the computer you want to be excluded.
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33755086
Hi,

create new GPO and assign it to your computer OU , and configure the required policy for screen saver or anything else you need

in this GPO , go to computer, policies, administrative templates, system, group policy, them choose
User Group Policy loopback processing mode
and choose Replace
so the policy applied to the computer account will always replace any GPO applied to the user logon to the computer.
please check the attached screen

SNAG-0002.jpg
SNAG-0003.jpg
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 43

Accepted Solution

by:
Adam Brown earned 600 total points
ID: 33755433
Just as a note, setting the loopback policy to replace settings on logon to a specific set of computers will remove *all* user policies when users log on to those computers. If you want the screen saver policy to apply to some, but not all, computers, you'll want to set loopback policy on the GPO that is deploying the screensaver settings and set up Loopback policy to merge changes (This will allow all other user policies to continue operating normally). Once that's done, set up a security group with the computers that you want to apply the policy in it. Filter the GPO with that security group and link the GPO to all of the OUs where the computers are located. That's only one way to do it.

The other option is to build a second GPO that disables the screensaver lockout. Apply that to the OU where the computers that you don't want the screensaver lockout on are located and modify the processing order to that policy is first in the list (if you have the computers that need no lockout in the same OU as computers than need lockout, build a security group with the computers that don't need it and filter the policy with that group).
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33755479
Ok, so this is what I did. I created a gpo for screen saver lockout and applied it to the users OU - it works fine. But as mentioned I do not want this policy applied to certain computers in a seperate OU (the server OU when IT logs into them).

So, as told above, I created another gpo and enabled the group policy loopback processing mode and assigned it to the Server OU.

1. Since I want all other gpo's on this OU not to be interfeered with and no screen saver lockout on it I chose Replace mode as tarekIsmail mentioned (I thought merge mode). I'm confused about that - (I want everything to work as currently just no screen saver lockout when the IT people log into the servers). None the less I chose Replace mode as you mentioned.

2. In this gpo you said (x3man) to also disable the screen saver setting, if I do this then the screen savers on the servers wont run, it also disables the screen saver tab, I dont want that.

I'm confused on how to configure the gpo policy on the server OU for the screen saver settings.
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 33755555
You want to disable the policy to Password Protect the Screensaver. I would highly recommend the merge setting rather than replace for loopback. With what you have, you then need to set up the policy to be processed last (put it as number one in the processing order list).

0
 
LVL 9

Expert Comment

by:x3man
ID: 33756005
As acbrown suggests, use the merge mode. This will allow other user settings to be applied, but where there are differences the loopback policy settings will be applied. You don't have to disable the screensaver settings if you don't want. You can choose whatever settings you would like to be applied.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756358
Ok, let me strat over since I'm confused now.....

1. I created a gpo on the users ou that enables screen saver lockout and it works fine.

2. I created another gpo on the servers ou and I enabled loopback with merge mode, (computer configuration) and password protect the screen saver is disabled under (user configuration).

Is this correct?

0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 33756371
Yes, that should do it for you.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756444
Ok, unfortunately somethings not right.

1. I created a test ou under servers and put a server in it and linked the gpo with the loopback policy on it (merge mode, password protect screen saver is disabled).

2. I created a test ou under users with my user account in it and applied the gpo with the screen saver lockout settings on it.

now, on my local computer the screensaver gpo doesnt apply but when I'm logged onto the server the screeen saver password lockout comes on after the time specified.

I did gpupdate on dc and client.

0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756504
nevermind.......
0
 
LVL 9

Expert Comment

by:x3man
ID: 33756613
This is correct:

"1. I created a gpo on the users ou that enables screen saver lockout and it works fine.

2. I created another gpo on the servers ou and I enabled loopback with merge mode, (computer configuration) and password protect the screen saver is disabled under (user configuration)."

If it isn't working check that the settings are actually as described here.
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33757339
yes , this is correct and recommend to use merge setting not replace
0
 
LVL 7

Author Closing Comment

by:tolinrome
ID: 33758512
Thanks
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question