Solved

Issue with GPO Applying Correctly

Posted on 2014-09-22
2
205 Views
Last Modified: 2014-09-23
Please see attached document for settings and structure. I need to disable the screensaver on all my conference room PC's, I I have a GPO the has both Computer settings and Users settings defined. My main user settings policy has only User Settings defined. I've tried Loopback with replace, but it completely replaces all User Settings with the Training GPO settings. I've tried merge, but it does not disable the screensaver. Any suggestions would be great.
C--Folder-Directory-GPO-Structure.docx
0
Comment
Question by:cornfedkiller
2 Comments
 
LVL 20

Expert Comment

by:Radhakrishnan Rajayyan
Comment Utility
Hi,

I appears that the disable policies are override by other policies. Ie - There are few OU's just above the Training and conference room machines. So, those polices are having screen savers enabled. So, obviously it's overriding the disabled policies.

Simply right click the "Training and Conference Room Machines" OU and make it "Block Inheritance". Perform Gpupdate /force and reboot the machine. Check the issue and see it's getting the correct policy applied?
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
Comment Utility
I'm gonna have to disagree with radhakrishan on this one.. generally the policies at the root will not override policies applied at the child levels unless the ones at the top are enforced. I wouldn't use block inheritance unless explicitly required.

So one thing about Screensavers/Desktop settings that I've found is that the USER settings work better than the COMPUTER settings. That means:

1) Your default screensaver settings should be a USER policy and be applied at the top level OU where the users are
2) Your training screensaver settings should be a USER policy (which you look live you've configured) and applied to the TRAINING Computers OU
3) In that Training OU, create a new policy where all it has in it is loopback processing enabled (this makes it easier for you to identify what OUs have loopback enabled vs digging into the GPO).

Also - try doing a merge instead of a replace and see what happens.

This should (in theory) make it so that any user that logs on a training computer gets the "no screensaver", but does not affect any machines outside that OU.

Either way, try making sure you are configured as above, and then log on a training workstation and run a gpresult or a RSoP and see what policies are applied (and at what inheritance order).
Check the links below to make sure you've configured loopback properly.. it can be a little tricky.

"2.Merge mode applies GPOs linked to the user object first, followed by GPOs with user settings linked to the computer object.
◦The order of processing determines the precedence. GPOs with users settings linked to the computer object apply last and therefore have a higher precedence than those linked to the user object.
◦Use merge mode in scenarios where you need users to receive the settings they normally receive, but you want to customize or make changes to those settings when they logon to specific computers.

3.Replace mode completely skips Group Policy objects linked in the path of the user and only applies user settings in GPOs linked in the path of the computer.  
Use replace mode when you need to disregard all GPOs that are linked in the path of the user object."

http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now