Solved

Group Policy Screen Lock Exceptions

Posted on 2012-03-22
4
1,164 Views
Last Modified: 2012-06-27
I'd like have all authenticated users have a screen lock.  However, I would like a few computers to have this setting unconfigured.

For example, UserA has two computers, Desktop1 and Desktop2. UserA logs into Desktop1 and it should lock after 60 minutes of inactivity.  Desktop2 only displays data/news.  UserA logs into Desktop2 but doesn't touch it after logging in.

I have a screenLock GP Object linked to a site.  The screenLock GP Object locks the screen after 60 minutes of inactivity AND is set to deny apply GPO for a noLock group.  The noLock group contains computers which should not lock.

This setup does not work.  The computer that is in the noLock group still gets the screen lock setting.  Group Policy Management's Group Policy Results wizard confirms this.

(Using Server 2003 and XP.)

Help.
0
Comment
Question by:mizuho
4 Comments
 
LVL 16

Expert Comment

by:ThinkPaper
Comment Utility
How are these computer organized in Active Directory? Are you applying the GPOs to the computers, users, or groups? Note that if you are applying them towards security and distribution groups it will not work.
0
 
LVL 3

Expert Comment

by:GlobalStrata
Comment Utility
I am assuming that you have authenticated users allowed to apply.  If so, they have rights to apply.  The way to do it is to remove Authenticated Users from the GPO, create a Group for Machines that will be Locked, add the computers to that group and then Delegate Access to that group (Read and Apply).  

Probably this is a bit difficult to manage if you have many computers.  So maybe it would be easier for you to use WMI instead.  Either create a custom WMI value with a script and then use a WMI Filter to search for that value.
0
 
LVL 3

Accepted Solution

by:
BigRedRPB earned 250 total points
Comment Utility
This should be pretty straightforward and your configurations sounds like it should work so there must be some tiny detail that is mucking things up.  Here's how I would do it.

Note:  IIRC, the screen saver policy only applies to the User Configuration so you can't just put the computers in a group and be good to go.

1. Create your 'Lock' policy with the settings you want and apply it to 'Authenticated Users'.
2. Create a group ('No Lock Computers') and put the computers you don't want to lock in it.
3. Create a 'No Lock' policy with settings to not lock the screen (be sure to set to Disabled, no just Not Configured).
4. Remove Authenticated Users from the No Lock policy and apply to the No Lock Computers group.
5. In the Group Policy objects list in GPMC, make the No Lock Policy a higher priority than the Lock policy.
6. In the No Lock polciy, set the Loopback policy to Enabled | Merge
  - Computer Settings | Admin Templates | System | Group Policy | Use Group Policy Loopback processing mode

Essentially, loopback mode applies the user policies that are applied to the computer object to any user who logs into that computer.  This sometimes has unintended consequences, depending on you AD structure, so you may need to test this out to make sure that it doesn't remove any policies that you want to have in place on the No Lock computers.  You can read more about loopback mode here:  http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspx

Give it a shot and see if that works for you.
0
 

Author Comment

by:mizuho
Comment Utility
Thanks to everyone who looked at this.

I didn't mention that I specifically need the unlocked computers to be "unconfigured" and not "denied" because we have a third-party app that manages screen-locking in a special way (allows scheduled screen-locking rules but also allows an admin to unlock a screen and access to the session, which some groups don't want, like Human Resources).

In the end, BigRedRPB's suggestion to use loopback mode solved my problem.
-I have a GPO that screen locks and it applies to Authenticated Users (also users loopback).
-I have an OU with computers that should lock, with the GPO linked to it.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now