?
Solved

Screen Saver Lockput GPO

Posted on 2010-09-24
14
Medium Priority
?
1,080 Views
Last Modified: 2012-05-10
I created a screensaver lockout GPO for all users which works fine. But I have a seperate OU with computer accounts in it that I dont want the screen saver policy applied to.

How can I make sure that any user who logs into these computers will not have the screen saver policy applied? I also need the current policies to that computer OU to be applied as usual with no interference.

I read about loopback policy but I'm not sure how to create/edit it and with what options. How can I accomplish this?
Thanks!
0
Comment
Question by:tolinrome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 9

Expert Comment

by:x3man
ID: 33754975
Make a security group for the computers that you want the screensaver settings to apply to and add the computers. Then click on the screensaver policy in Group Policy management Console, look on scope tab and under security filtering remove all groups and only add the security group you created.
0
 
LVL 9

Assisted Solution

by:x3man
x3man earned 400 total points
ID: 33755069
Sorry scrap what I just said. The policy is a user setting not a computer setting so you should use loopback settings as you said. Create a loopback policy (http://support.microsoft.com/kb/231287) with the screensaver settings disabled and select merge or replace mode depending on whether you want existing user settings to be applied also. Attach this policy to the OU with the computer you want to be excluded.
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33755086
Hi,

create new GPO and assign it to your computer OU , and configure the required policy for screen saver or anything else you need

in this GPO , go to computer, policies, administrative templates, system, group policy, them choose
User Group Policy loopback processing mode
and choose Replace
so the policy applied to the computer account will always replace any GPO applied to the user logon to the computer.
please check the attached screen

SNAG-0002.jpg
SNAG-0003.jpg
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 42

Accepted Solution

by:
Adam Brown earned 600 total points
ID: 33755433
Just as a note, setting the loopback policy to replace settings on logon to a specific set of computers will remove *all* user policies when users log on to those computers. If you want the screen saver policy to apply to some, but not all, computers, you'll want to set loopback policy on the GPO that is deploying the screensaver settings and set up Loopback policy to merge changes (This will allow all other user policies to continue operating normally). Once that's done, set up a security group with the computers that you want to apply the policy in it. Filter the GPO with that security group and link the GPO to all of the OUs where the computers are located. That's only one way to do it.

The other option is to build a second GPO that disables the screensaver lockout. Apply that to the OU where the computers that you don't want the screensaver lockout on are located and modify the processing order to that policy is first in the list (if you have the computers that need no lockout in the same OU as computers than need lockout, build a security group with the computers that don't need it and filter the policy with that group).
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33755479
Ok, so this is what I did. I created a gpo for screen saver lockout and applied it to the users OU - it works fine. But as mentioned I do not want this policy applied to certain computers in a seperate OU (the server OU when IT logs into them).

So, as told above, I created another gpo and enabled the group policy loopback processing mode and assigned it to the Server OU.

1. Since I want all other gpo's on this OU not to be interfeered with and no screen saver lockout on it I chose Replace mode as tarekIsmail mentioned (I thought merge mode). I'm confused about that - (I want everything to work as currently just no screen saver lockout when the IT people log into the servers). None the less I chose Replace mode as you mentioned.

2. In this gpo you said (x3man) to also disable the screen saver setting, if I do this then the screen savers on the servers wont run, it also disables the screen saver tab, I dont want that.

I'm confused on how to configure the gpo policy on the server OU for the screen saver settings.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 33755555
You want to disable the policy to Password Protect the Screensaver. I would highly recommend the merge setting rather than replace for loopback. With what you have, you then need to set up the policy to be processed last (put it as number one in the processing order list).

0
 
LVL 9

Expert Comment

by:x3man
ID: 33756005
As acbrown suggests, use the merge mode. This will allow other user settings to be applied, but where there are differences the loopback policy settings will be applied. You don't have to disable the screensaver settings if you don't want. You can choose whatever settings you would like to be applied.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756358
Ok, let me strat over since I'm confused now.....

1. I created a gpo on the users ou that enables screen saver lockout and it works fine.

2. I created another gpo on the servers ou and I enabled loopback with merge mode, (computer configuration) and password protect the screen saver is disabled under (user configuration).

Is this correct?

0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 33756371
Yes, that should do it for you.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756444
Ok, unfortunately somethings not right.

1. I created a test ou under servers and put a server in it and linked the gpo with the loopback policy on it (merge mode, password protect screen saver is disabled).

2. I created a test ou under users with my user account in it and applied the gpo with the screen saver lockout settings on it.

now, on my local computer the screensaver gpo doesnt apply but when I'm logged onto the server the screeen saver password lockout comes on after the time specified.

I did gpupdate on dc and client.

0
 
LVL 7

Author Comment

by:tolinrome
ID: 33756504
nevermind.......
0
 
LVL 9

Expert Comment

by:x3man
ID: 33756613
This is correct:

"1. I created a gpo on the users ou that enables screen saver lockout and it works fine.

2. I created another gpo on the servers ou and I enabled loopback with merge mode, (computer configuration) and password protect the screen saver is disabled under (user configuration)."

If it isn't working check that the settings are actually as described here.
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33757339
yes , this is correct and recommend to use merge setting not replace
0
 
LVL 7

Author Closing Comment

by:tolinrome
ID: 33758512
Thanks
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question