Group Policy Screen Lock Exceptions

I'd like have all authenticated users have a screen lock.  However, I would like a few computers to have this setting unconfigured.

For example, UserA has two computers, Desktop1 and Desktop2. UserA logs into Desktop1 and it should lock after 60 minutes of inactivity.  Desktop2 only displays data/news.  UserA logs into Desktop2 but doesn't touch it after logging in.

I have a screenLock GP Object linked to a site.  The screenLock GP Object locks the screen after 60 minutes of inactivity AND is set to deny apply GPO for a noLock group.  The noLock group contains computers which should not lock.

This setup does not work.  The computer that is in the noLock group still gets the screen lock setting.  Group Policy Management's Group Policy Results wizard confirms this.

(Using Server 2003 and XP.)

Help.
mizuhoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ThinkPaperIT ConsultantCommented:
How are these computer organized in Active Directory? Are you applying the GPOs to the computers, users, or groups? Note that if you are applying them towards security and distribution groups it will not work.
0
GlobalStrataCommented:
I am assuming that you have authenticated users allowed to apply.  If so, they have rights to apply.  The way to do it is to remove Authenticated Users from the GPO, create a Group for Machines that will be Locked, add the computers to that group and then Delegate Access to that group (Read and Apply).  

Probably this is a bit difficult to manage if you have many computers.  So maybe it would be easier for you to use WMI instead.  Either create a custom WMI value with a script and then use a WMI Filter to search for that value.
0
BigRedRPBCommented:
This should be pretty straightforward and your configurations sounds like it should work so there must be some tiny detail that is mucking things up.  Here's how I would do it.

Note:  IIRC, the screen saver policy only applies to the User Configuration so you can't just put the computers in a group and be good to go.

1. Create your 'Lock' policy with the settings you want and apply it to 'Authenticated Users'.
2. Create a group ('No Lock Computers') and put the computers you don't want to lock in it.
3. Create a 'No Lock' policy with settings to not lock the screen (be sure to set to Disabled, no just Not Configured).
4. Remove Authenticated Users from the No Lock policy and apply to the No Lock Computers group.
5. In the Group Policy objects list in GPMC, make the No Lock Policy a higher priority than the Lock policy.
6. In the No Lock polciy, set the Loopback policy to Enabled | Merge
  - Computer Settings | Admin Templates | System | Group Policy | Use Group Policy Loopback processing mode

Essentially, loopback mode applies the user policies that are applied to the computer object to any user who logs into that computer.  This sometimes has unintended consequences, depending on you AD structure, so you may need to test this out to make sure that it doesn't remove any policies that you want to have in place on the No Lock computers.  You can read more about loopback mode here:  http://technet.microsoft.com/en-us/library/cc782810(v=WS.10).aspx

Give it a shot and see if that works for you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mizuhoAuthor Commented:
Thanks to everyone who looked at this.

I didn't mention that I specifically need the unlocked computers to be "unconfigured" and not "denied" because we have a third-party app that manages screen-locking in a special way (allows scheduled screen-locking rules but also allows an admin to unlock a screen and access to the session, which some groups don't want, like Human Resources).

In the end, BigRedRPB's suggestion to use loopback mode solved my problem.
-I have a GPO that screen locks and it applies to Authenticated Users (also users loopback).
-I have an OU with computers that should lock, with the GPO linked to it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.