Solved

Group Policy Screen Lock Exceptions

Posted on 2012-03-22
4
1,231 Views
Last Modified: 2012-06-27
I'd like have all authenticated users have a screen lock.  However, I would like a few computers to have this setting unconfigured.

For example, UserA has two computers, Desktop1 and Desktop2. UserA logs into Desktop1 and it should lock after 60 minutes of inactivity.  Desktop2 only displays data/news.  UserA logs into Desktop2 but doesn't touch it after logging in.

I have a screenLock GP Object linked to a site.  The screenLock GP Object locks the screen after 60 minutes of inactivity AND is set to deny apply GPO for a noLock group.  The noLock group contains computers which should not lock.

This setup does not work.  The computer that is in the noLock group still gets the screen lock setting.  Group Policy Management's Group Policy Results wizard confirms this.

(Using Server 2003 and XP.)

Help.
0
Comment
Question by:mizuho
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 37754756
How are these computer organized in Active Directory? Are you applying the GPOs to the computers, users, or groups? Note that if you are applying them towards security and distribution groups it will not work.
0
 
LVL 3

Expert Comment

by:GlobalStrata
ID: 37755188
I am assuming that you have authenticated users allowed to apply.  If so, they have rights to apply.  The way to do it is to remove Authenticated Users from the GPO, create a Group for Machines that will be Locked, add the computers to that group and then Delegate Access to that group (Read and Apply).  

Probably this is a bit difficult to manage if you have many computers.  So maybe it would be easier for you to use WMI instead.  Either create a custom WMI value with a script and then use a WMI Filter to search for that value.
0
 
LVL 3

Accepted Solution

by:
BigRedRPB earned 250 total points
ID: 37756947
This should be pretty straightforward and your configurations sounds like it should work so there must be some tiny detail that is mucking things up.  Here's how I would do it.

Note:  IIRC, the screen saver policy only applies to the User Configuration so you can't just put the computers in a group and be good to go.

1. Create your 'Lock' policy with the settings you want and apply it to 'Authenticated Users'.
2. Create a group ('No Lock Computers') and put the computers you don't want to lock in it.
3. Create a 'No Lock' policy with settings to not lock the screen (be sure to set to Disabled, no just Not Configured).
4. Remove Authenticated Users from the No Lock policy and apply to the No Lock Computers group.
5. In the Group Policy objects list in GPMC, make the No Lock Policy a higher priority than the Lock policy.
6. In the No Lock polciy, set the Loopback policy to Enabled | Merge
  - Computer Settings | Admin Templates | System | Group Policy | Use Group Policy Loopback processing mode

Essentially, loopback mode applies the user policies that are applied to the computer object to any user who logs into that computer.  This sometimes has unintended consequences, depending on you AD structure, so you may need to test this out to make sure that it doesn't remove any policies that you want to have in place on the No Lock computers.  You can read more about loopback mode here:  http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspx

Give it a shot and see if that works for you.
0
 

Author Comment

by:mizuho
ID: 37783304
Thanks to everyone who looked at this.

I didn't mention that I specifically need the unlocked computers to be "unconfigured" and not "denied" because we have a third-party app that manages screen-locking in a special way (allows scheduled screen-locking rules but also allows an admin to unlock a screen and access to the session, which some groups don't want, like Human Resources).

In the end, BigRedRPB's suggestion to use loopback mode solved my problem.
-I have a GPO that screen locks and it applies to Authenticated Users (also users loopback).
-I have an OU with computers that should lock, with the GPO linked to it.
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question