Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy Screen Lock Exceptions

Posted on 2012-03-22
4
Medium Priority
?
1,284 Views
Last Modified: 2012-06-27
I'd like have all authenticated users have a screen lock.  However, I would like a few computers to have this setting unconfigured.

For example, UserA has two computers, Desktop1 and Desktop2. UserA logs into Desktop1 and it should lock after 60 minutes of inactivity.  Desktop2 only displays data/news.  UserA logs into Desktop2 but doesn't touch it after logging in.

I have a screenLock GP Object linked to a site.  The screenLock GP Object locks the screen after 60 minutes of inactivity AND is set to deny apply GPO for a noLock group.  The noLock group contains computers which should not lock.

This setup does not work.  The computer that is in the noLock group still gets the screen lock setting.  Group Policy Management's Group Policy Results wizard confirms this.

(Using Server 2003 and XP.)

Help.
0
Comment
Question by:mizuho
4 Comments
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 37754756
How are these computer organized in Active Directory? Are you applying the GPOs to the computers, users, or groups? Note that if you are applying them towards security and distribution groups it will not work.
0
 
LVL 3

Expert Comment

by:GlobalStrata
ID: 37755188
I am assuming that you have authenticated users allowed to apply.  If so, they have rights to apply.  The way to do it is to remove Authenticated Users from the GPO, create a Group for Machines that will be Locked, add the computers to that group and then Delegate Access to that group (Read and Apply).  

Probably this is a bit difficult to manage if you have many computers.  So maybe it would be easier for you to use WMI instead.  Either create a custom WMI value with a script and then use a WMI Filter to search for that value.
0
 
LVL 3

Accepted Solution

by:
BigRedRPB earned 750 total points
ID: 37756947
This should be pretty straightforward and your configurations sounds like it should work so there must be some tiny detail that is mucking things up.  Here's how I would do it.

Note:  IIRC, the screen saver policy only applies to the User Configuration so you can't just put the computers in a group and be good to go.

1. Create your 'Lock' policy with the settings you want and apply it to 'Authenticated Users'.
2. Create a group ('No Lock Computers') and put the computers you don't want to lock in it.
3. Create a 'No Lock' policy with settings to not lock the screen (be sure to set to Disabled, no just Not Configured).
4. Remove Authenticated Users from the No Lock policy and apply to the No Lock Computers group.
5. In the Group Policy objects list in GPMC, make the No Lock Policy a higher priority than the Lock policy.
6. In the No Lock polciy, set the Loopback policy to Enabled | Merge
  - Computer Settings | Admin Templates | System | Group Policy | Use Group Policy Loopback processing mode

Essentially, loopback mode applies the user policies that are applied to the computer object to any user who logs into that computer.  This sometimes has unintended consequences, depending on you AD structure, so you may need to test this out to make sure that it doesn't remove any policies that you want to have in place on the No Lock computers.  You can read more about loopback mode here:  http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspx

Give it a shot and see if that works for you.
0
 

Author Comment

by:mizuho
ID: 37783304
Thanks to everyone who looked at this.

I didn't mention that I specifically need the unlocked computers to be "unconfigured" and not "denied" because we have a third-party app that manages screen-locking in a special way (allows scheduled screen-locking rules but also allows an admin to unlock a screen and access to the session, which some groups don't want, like Human Resources).

In the end, BigRedRPB's suggestion to use loopback mode solved my problem.
-I have a GPO that screen locks and it applies to Authenticated Users (also users loopback).
-I have an OU with computers that should lock, with the GPO linked to it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question