Solved

Group Policy

Posted on 2012-04-04
48
1,108 Views
Last Modified: 2012-04-10
Hi,

I created a group policy to force a screen saver.
it doesnt seem to be working.

Policy > User Configuration > Administrative Templates > Control Panel > Personalization. Here are the policies you’re looking for:
 
Enabled the screen save settings as well as force specific screensaver and password protect and timeout.
I saved the screen saver on my local machine c:\windows32\screensvr.scr
i also tried to put it on a network share.

When i apply the policy and check my control panel settings, i can still configure screen saver locally, also it never kicks in, i set it to 1 second.
please assist (what did i miss)

thank you plentttyy
0
Comment
Question by:Geekah
  • 18
  • 13
  • 11
  • +2
48 Comments
 
LVL 4

Assisted Solution

by:Red_Tech
Red_Tech earned 150 total points
ID: 37808809
Do you use this same GP to enforce other settings as well? Are those working?
0
 
LVL 6

Accepted Solution

by:
Raquero earned 200 total points
ID: 37808823
Is this a local group policy or a domain group policy object (GPO)?
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 150 total points
ID: 37809090
Run gpresult /h <filename.html> on the machine you are testing to see if the policy is even being applied.  

If the new GPO is seen you might have an order issue and it might bring nigated.
0
 
LVL 13

Expert Comment

by:lauchangkwang
ID: 37809765
If the PC is joined under domain, you should modified the OU (Organization Unit) group policy.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37810568
To elaborate on Lauchangkwang: the User's OU so it targets the user, but if you are at the Domain Level without any Block Inheritance then this will not apply.
0
 

Author Comment

by:Geekah
ID: 37812187
I am not that familair with Group Policy. so here is what i did.
In the group policy object editor i changed the settings below:
Enabled the screen save settings as well as force specific screensaver and password protect and timeout.

In the Group Policy Management I went unser the
-Domain.com
--Users
---Added a new policy named screen saver
(Except that there is not display settings where i can get the screen saver settings)

Please point me in the right direction even if i have to start over ..

thanks
0
 
LVL 4

Expert Comment

by:Red_Tech
ID: 37812248
Have you 'Enforced' the policy? Right click it and make sure.
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812260
There are three settings you need:

User Configuration\Administrative Templates\Control Panel\Personalization

Enable screen saver --> enabled
Force specific screen saver --> <if not %Systemroot%\System32 directory include full path>
Prevent changing screen saver --> enabled

http://technet.microsoft.com/en-us/library/ee617164(v=WS.10).aspx
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812262
BTW you do not need to "enforce" the policy, just make sure it is linked at the correct OU and Link Enabled
0
 

Author Comment

by:Geekah
ID: 37812263
I can enforce it, but there is no settings in it (in the group policy management) I cannot find the settings for screen saver.
I only set up the screen saver options in group policy object editor.

It is the available Screen Saver Options. so i dont know how to link those options to the empty screen saver policy i created in GPM
0
 

Author Comment

by:Geekah
ID: 37812274
It is linked (can you explain the difference between the Groip Policy Mnagement console vs GPO Editor)??
i am not sure where to enforce or push the proper one.
Yes it is linked in the GPO editor. And yes it is enforced in the GPM but no settings are in it.

???????
thank you
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37812309
I do not think you can add GPO to the USERS Folder in AD.  You would need to create a new OU (Firm Users or somthing similar)  in ADUC and move all users to that OU.
Or just add a New GPO to the Domain level.

GPO example 1
So if you placement is incorrect you will not get the desired results.

To confirm that the GPO's are being applied correctly you should use  Group Policy Result tool in GPMC or run gpresult /h <filename.html> like stated in one of my previous suggestions.

GPO example 2

Can you post a screenshot of your GPO's ?
0
 
LVL 4

Expert Comment

by:Red_Tech
ID: 37812371
Raquero is correct it must be Link Enabled and does not have to be Enforced. But Enforcing it will make it so it is not overridden by another policy.
0
 

Author Comment

by:Geekah
ID: 37812432
Awsome, so far everything is setup the way you have adviced.
Only thing is, my GPO is empty. I cannot find the Display settings to get to the screen settings under control panel settings.

Also the second screenshot shows the settings in the Group Policy Object editro.
How are these 2 related???
gpo1.png
gpo2.png
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812494
yo_bee is correct...you cannot apply a GPO to the default Users or Computers OUs.

It is fairly common to group users in different OUs beneath Users(some designs use the ITIL/MOF People, Process, Technology model instead of the default containers, which I personally espouse). The distribution of users in different OUs is based on either location (e.g. geography) or division/workgroup/etc. and for purposes of delegating administrative functions without making everyone who does user admin a domain admin.

If you have a single location with no need for delegating admin responsibilities (e.g. for different regions) create a new OU under Users and move all users to the new OU. Link your GPO there.

Always create/edit GPOs from the newest OS in your environment, even if you are still supporting XP machines.

Once you have linked your GPO to the new OU you can verify the settings are what you want: open Group Policy Management console from a W7 (with RSAT) or W2K8R2 server. Locate the GPO in the left pane and click on it to select it. Click the Settings tab in the right pane and drill down to
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37812496
You should not enforce the GPO like you are.
You are probably negating other settings

Your Screensaver GPO has not setting applied to it.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37812511
I would remove all enforcements and place the GPO's in the order you wish to have them applied.
The order is Low precedence to highest
So the last GPO to apply has the highest precedence
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812513
Geekah, your second screenshot is of a local group policy. You need to create/edit GPOs as described in my previous post via the Group Policy Management console from either a DC or a server/W7 machine with RSAT installed.
0
 

Author Comment

by:Geekah
ID: 37812514
Yo-bee.
If you read my questiojns, I am saying that i CANNOT find the settings.
I am aware the settings are not there. I cannot find the settings for screen saver.
Could someone assist as to how to add the display settings to the control panel??

The GPO, i just enforced after i got a sufggestion from you guys, so it wasnt working before or after.

thx
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812539
Are you saying you do not see the Personalization folder in the GPO? See my earlier post http:#a37812260
0
 

Author Comment

by:Geekah
ID: 37812549
Raquero,

the first screenshot shows the policy I created, It is created in a DC through GPO Management.
i cANNOT FIND THE SCREEN SHOT SETTINGS.........

:)
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812562
What OS is the DC running?
0
 

Author Comment

by:Geekah
ID: 37812568
Hi Raquero,
 please see the screen shot attached.

thx
No-Display-Settings.png
0
 

Author Comment

by:Geekah
ID: 37812571
DC is running Server 2008 R2 std
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Geekah
ID: 37812599
i can see personalization in the second screen shot of my earlier post.
but i need to which one should i be working on

Group Policy Management where i have a policy created but its empty.

Or Group Policy Object editor where i can see personlization and have done the work already for settings but not sure how to apply it.

When you reposond  please let me know which one to work with (with any solution u recommend as i am greeeen to GPOs)

thanks plenty
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812617
What do you mean by group policy object editor? Are you running gpedit.msc locally on a workstation? That will only affect that computer.

You should only be using the Group Policy Management console as previously described.

Your last screen shot shows you are looking under Preferences. The settings are under User Configuration-->Policies-->User Configuration\Administrative Templates\Control Panel\Personalization


http:#a37812260

User Configuration\Administrative Templates\Control Panel\Personalization

Enable screen saver --> enabled
Force specific screen saver --> <if not %Systemroot%\System32 directory include full path>
Prevent changing screen saver --> enabled

http://technet.microsoft.com/en-us/library/ee617164(v=WS.10).aspx
0
 

Author Comment

by:Geekah
ID: 37812680
Thanks,

from Grou0p policy Management (as attached) i right click on the ScreenSver and go EDIT
And the attached shows that
User Configuration-->  has no administrative templates (it only has Policies and Preferences)
how do i change that, the view or how do i add the admin templates to the view???

i think we are close.
sorry for the confusion earlier
GPO-4.png
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37812727
Here are the settings:

Users Config > Administrative Templates > Control Panel > Personalization >

SS GPO 1
SS GPO 2
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812747
Expand Policies under user configuration, you are still looking under Preferences
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37812772
My screenshot demonstrates this
0
 

Author Comment

by:Geekah
ID: 37812796
Back to sequare one.
please see attached. it is NOT there :)

see second screenshot for available add ons. where to find the option i need and i can add it?

thx
gpo-5.png
gpo-6.png
0
 

Author Comment

by:Geekah
ID: 37812801
I looked under all links, As per my last screenshot (now that we agree on a location :) )
how do i add the template since it is not there???
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37812848
You are using GPME and not GPMC  
they are two different MMC's

Install RSAT on your windows 7 machine or connect to your AD via RDP.

You will see the settings.
You should not really use GPME at all.
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812850
Now it makes more sense. You have the Group Policy Central store enabled but the ADMX template files are not where they need to be.

From the latest OS version in your environment (e.g. server 2008 or W7/2008R2 in that order) you need to copy the PolicyDefinitions folder from c:\Windows\SYSVOL\domain\Policies to the sysvol folder for the domain (vis. \\mydomain.local\sysvol\mydomain.local\policies).


This article shows details with screen shots: http://www.petri.co.il/creating-group-policy-central-store.htm
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812866
Caveat: once you update to the W7/2K8R2 templates you will have to edit GPOs from one of those two platforms (not Vista, XP, or 2K8).
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37812874
Sorry....local path to copy from is C:\Windows\PolicyDefinitions
0
 

Author Comment

by:Geekah
ID: 37812884
Awesome, thank you so much everyone, i will try that later on today and will update you.
So sorry for the confusion theroughout :)
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37812887
this is one long thread
0
 

Author Comment

by:Geekah
ID: 37813000
with plenty of mis-communication.. my bad i was lost between Group Policy Editor and Group Policy Management :)
0
 

Author Comment

by:Geekah
ID: 37813865
Guys, still  need assistant. I still dont have settings in my policy....

Where and how do i add the control panel template????? where i can find the display and screen saver???

plleeeeaaasse
this is starting to take up all my day
thx plenty
0
 

Author Comment

by:Geekah
ID: 37813898
Spoke too soon...

never mind. i had to close GPO management (been a looooong day)

it shows up now and oh joy oh joy.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37813912
Are you using GPMC or GPME ?
0
 

Author Comment

by:Geekah
ID: 37813930
IT WOOOORRRKKSSS
omg thank you sooo much.
it finally works

you guys are awesommme
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37813970
:)
Can you post a screenshot of your revise GP setup?
0
 
LVL 13

Expert Comment

by:lauchangkwang
ID: 37813971
seems like i miss a lot of things, just after a day from my end ..... :)......really a long post .....
0
 
LVL 6

Expert Comment

by:Raquero
ID: 37816397
Geekah, so you see the settings now that the templates are in the central store?
0
 

Author Comment

by:Geekah
ID: 37830356
Hi guys,

sorry i disappeared, but here is a screen shot of the working GPO.

Thank you again for your assistant :)
Working-GPO.png
0
 
LVL 13

Expert Comment

by:lauchangkwang
ID: 37830657
errmmm ...... I got no points for the OU suggestion from my first post ??? ......
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now