Solved

Issue with GPO Applying Correctly

Posted on 2014-09-22
2
207 Views
Last Modified: 2014-09-23
Please see attached document for settings and structure. I need to disable the screensaver on all my conference room PC's, I I have a GPO the has both Computer settings and Users settings defined. My main user settings policy has only User Settings defined. I've tried Loopback with replace, but it completely replaces all User Settings with the Training GPO settings. I've tried merge, but it does not disable the screensaver. Any suggestions would be great.
C--Folder-Directory-GPO-Structure.docx
0
Comment
Question by:cornfedkiller
2 Comments
 
LVL 21

Expert Comment

by:RK
ID: 40336821
Hi,

I appears that the disable policies are override by other policies. Ie - There are few OU's just above the Training and conference room machines. So, those polices are having screen savers enabled. So, obviously it's overriding the disabled policies.

Simply right click the "Training and Conference Room Machines" OU and make it "Block Inheritance". Perform Gpupdate /force and reboot the machine. Check the issue and see it's getting the correct policy applied?
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 40337662
I'm gonna have to disagree with radhakrishan on this one.. generally the policies at the root will not override policies applied at the child levels unless the ones at the top are enforced. I wouldn't use block inheritance unless explicitly required.

So one thing about Screensavers/Desktop settings that I've found is that the USER settings work better than the COMPUTER settings. That means:

1) Your default screensaver settings should be a USER policy and be applied at the top level OU where the users are
2) Your training screensaver settings should be a USER policy (which you look live you've configured) and applied to the TRAINING Computers OU
3) In that Training OU, create a new policy where all it has in it is loopback processing enabled (this makes it easier for you to identify what OUs have loopback enabled vs digging into the GPO).

Also - try doing a merge instead of a replace and see what happens.

This should (in theory) make it so that any user that logs on a training computer gets the "no screensaver", but does not affect any machines outside that OU.

Either way, try making sure you are configured as above, and then log on a training workstation and run a gpresult or a RSoP and see what policies are applied (and at what inheritance order).
Check the links below to make sure you've configured loopback properly.. it can be a little tricky.

"2.Merge mode applies GPOs linked to the user object first, followed by GPOs with user settings linked to the computer object.
◦The order of processing determines the precedence. GPOs with users settings linked to the computer object apply last and therefore have a higher precedence than those linked to the user object.
◦Use merge mode in scenarios where you need users to receive the settings they normally receive, but you want to customize or make changes to those settings when they logon to specific computers.

3.Replace mode completely skips Group Policy objects linked in the path of the user and only applies user settings in GPOs linked in the path of the computer.  
Use replace mode when you need to disregard all GPOs that are linked in the path of the user object."

http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now