Solved

Group Policy Screen Lock Exceptions

Posted on 2012-03-22
4
1,172 Views
Last Modified: 2012-06-27
I'd like have all authenticated users have a screen lock.  However, I would like a few computers to have this setting unconfigured.

For example, UserA has two computers, Desktop1 and Desktop2. UserA logs into Desktop1 and it should lock after 60 minutes of inactivity.  Desktop2 only displays data/news.  UserA logs into Desktop2 but doesn't touch it after logging in.

I have a screenLock GP Object linked to a site.  The screenLock GP Object locks the screen after 60 minutes of inactivity AND is set to deny apply GPO for a noLock group.  The noLock group contains computers which should not lock.

This setup does not work.  The computer that is in the noLock group still gets the screen lock setting.  Group Policy Management's Group Policy Results wizard confirms this.

(Using Server 2003 and XP.)

Help.
0
Comment
Question by:mizuho
4 Comments
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 37754756
How are these computer organized in Active Directory? Are you applying the GPOs to the computers, users, or groups? Note that if you are applying them towards security and distribution groups it will not work.
0
 
LVL 3

Expert Comment

by:GlobalStrata
ID: 37755188
I am assuming that you have authenticated users allowed to apply.  If so, they have rights to apply.  The way to do it is to remove Authenticated Users from the GPO, create a Group for Machines that will be Locked, add the computers to that group and then Delegate Access to that group (Read and Apply).  

Probably this is a bit difficult to manage if you have many computers.  So maybe it would be easier for you to use WMI instead.  Either create a custom WMI value with a script and then use a WMI Filter to search for that value.
0
 
LVL 3

Accepted Solution

by:
BigRedRPB earned 250 total points
ID: 37756947
This should be pretty straightforward and your configurations sounds like it should work so there must be some tiny detail that is mucking things up.  Here's how I would do it.

Note:  IIRC, the screen saver policy only applies to the User Configuration so you can't just put the computers in a group and be good to go.

1. Create your 'Lock' policy with the settings you want and apply it to 'Authenticated Users'.
2. Create a group ('No Lock Computers') and put the computers you don't want to lock in it.
3. Create a 'No Lock' policy with settings to not lock the screen (be sure to set to Disabled, no just Not Configured).
4. Remove Authenticated Users from the No Lock policy and apply to the No Lock Computers group.
5. In the Group Policy objects list in GPMC, make the No Lock Policy a higher priority than the Lock policy.
6. In the No Lock polciy, set the Loopback policy to Enabled | Merge
  - Computer Settings | Admin Templates | System | Group Policy | Use Group Policy Loopback processing mode

Essentially, loopback mode applies the user policies that are applied to the computer object to any user who logs into that computer.  This sometimes has unintended consequences, depending on you AD structure, so you may need to test this out to make sure that it doesn't remove any policies that you want to have in place on the No Lock computers.  You can read more about loopback mode here:  http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspx

Give it a shot and see if that works for you.
0
 

Author Comment

by:mizuho
ID: 37783304
Thanks to everyone who looked at this.

I didn't mention that I specifically need the unlocked computers to be "unconfigured" and not "denied" because we have a third-party app that manages screen-locking in a special way (allows scheduled screen-locking rules but also allows an admin to unlock a screen and access to the session, which some groups don't want, like Human Resources).

In the end, BigRedRPB's suggestion to use loopback mode solved my problem.
-I have a GPO that screen locks and it applies to Authenticated Users (also users loopback).
-I have an OU with computers that should lock, with the GPO linked to it.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now