Solved

Screen Saver Lockput GPO

Posted on 2010-09-24
14
1,066 Views
Last Modified: 2012-05-10
I created a screensaver lockout GPO for all users which works fine. But I have a seperate OU with computer accounts in it that I dont want the screen saver policy applied to.

How can I make sure that any user who logs into these computers will not have the screen saver policy applied? I also need the current policies to that computer OU to be applied as usual with no interference.

I read about loopback policy but I'm not sure how to create/edit it and with what options. How can I accomplish this?
Thanks!
0
Comment
Question by:tolinrome
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 9

Expert Comment

by:x3man
ID: 33754975
Make a security group for the computers that you want the screensaver settings to apply to and add the computers. Then click on the screensaver policy in Group Policy management Console, look on scope tab and under security filtering remove all groups and only add the security group you created.
0
 
LVL 9

Assisted Solution

by:x3man
x3man earned 100 total points
ID: 33755069
Sorry scrap what I just said. The policy is a user setting not a computer setting so you should use loopback settings as you said. Create a loopback policy (http://support.microsoft.com/kb/231287) with the screensaver settings disabled and select merge or replace mode depending on whether you want existing user settings to be applied also. Attach this policy to the OU with the computer you want to be excluded.
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33755086
Hi,

create new GPO and assign it to your computer OU , and configure the required policy for screen saver or anything else you need

in this GPO , go to computer, policies, administrative templates, system, group policy, them choose
User Group Policy loopback processing mode
and choose Replace
so the policy applied to the computer account will always replace any GPO applied to the user logon to the computer.
please check the attached screen

SNAG-0002.jpg
SNAG-0003.jpg
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 150 total points
ID: 33755433
Just as a note, setting the loopback policy to replace settings on logon to a specific set of computers will remove *all* user policies when users log on to those computers. If you want the screen saver policy to apply to some, but not all, computers, you'll want to set loopback policy on the GPO that is deploying the screensaver settings and set up Loopback policy to merge changes (This will allow all other user policies to continue operating normally). Once that's done, set up a security group with the computers that you want to apply the policy in it. Filter the GPO with that security group and link the GPO to all of the OUs where the computers are located. That's only one way to do it.

The other option is to build a second GPO that disables the screensaver lockout. Apply that to the OU where the computers that you don't want the screensaver lockout on are located and modify the processing order to that policy is first in the list (if you have the computers that need no lockout in the same OU as computers than need lockout, build a security group with the computers that don't need it and filter the policy with that group).
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33755479
Ok, so this is what I did. I created a gpo for screen saver lockout and applied it to the users OU - it works fine. But as mentioned I do not want this policy applied to certain computers in a seperate OU (the server OU when IT logs into them).

So, as told above, I created another gpo and enabled the group policy loopback processing mode and assigned it to the Server OU.

1. Since I want all other gpo's on this OU not to be interfeered with and no screen saver lockout on it I chose Replace mode as tarekIsmail mentioned (I thought merge mode). I'm confused about that - (I want everything to work as currently just no screen saver lockout when the IT people log into the servers). None the less I chose Replace mode as you mentioned.

2. In this gpo you said (x3man) to also disable the screen saver setting, if I do this then the screen savers on the servers wont run, it also disables the screen saver tab, I dont want that.

I'm confused on how to configure the gpo policy on the server OU for the screen saver settings.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33755555
You want to disable the policy to Password Protect the Screensaver. I would highly recommend the merge setting rather than replace for loopback. With what you have, you then need to set up the policy to be processed last (put it as number one in the processing order list).

0
 
LVL 9

Expert Comment

by:x3man
ID: 33756005
As acbrown suggests, use the merge mode. This will allow other user settings to be applied, but where there are differences the loopback policy settings will be applied. You don't have to disable the screensaver settings if you don't want. You can choose whatever settings you would like to be applied.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756358
Ok, let me strat over since I'm confused now.....

1. I created a gpo on the users ou that enables screen saver lockout and it works fine.

2. I created another gpo on the servers ou and I enabled loopback with merge mode, (computer configuration) and password protect the screen saver is disabled under (user configuration).

Is this correct?

0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 33756371
Yes, that should do it for you.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756444
Ok, unfortunately somethings not right.

1. I created a test ou under servers and put a server in it and linked the gpo with the loopback policy on it (merge mode, password protect screen saver is disabled).

2. I created a test ou under users with my user account in it and applied the gpo with the screen saver lockout settings on it.

now, on my local computer the screensaver gpo doesnt apply but when I'm logged onto the server the screeen saver password lockout comes on after the time specified.

I did gpupdate on dc and client.

0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756504
nevermind.......
0
 
LVL 9

Expert Comment

by:x3man
ID: 33756613
This is correct:

"1. I created a gpo on the users ou that enables screen saver lockout and it works fine.

2. I created another gpo on the servers ou and I enabled loopback with merge mode, (computer configuration) and password protect the screen saver is disabled under (user configuration)."

If it isn't working check that the settings are actually as described here.
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33757339
yes , this is correct and recommend to use merge setting not replace
0
 
LVL 7

Author Closing Comment

by:tolinrome
ID: 33758512
Thanks
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now