Solved

Issue with GPO Applying Correctly

Posted on 2014-09-22
2
210 Views
Last Modified: 2014-09-23
Please see attached document for settings and structure. I need to disable the screensaver on all my conference room PC's, I I have a GPO the has both Computer settings and Users settings defined. My main user settings policy has only User Settings defined. I've tried Loopback with replace, but it completely replaces all User Settings with the Training GPO settings. I've tried merge, but it does not disable the screensaver. Any suggestions would be great.
C--Folder-Directory-GPO-Structure.docx
0
Comment
Question by:cornfedkiller
2 Comments
 
LVL 21

Expert Comment

by:RK
ID: 40336821
Hi,

I appears that the disable policies are override by other policies. Ie - There are few OU's just above the Training and conference room machines. So, those polices are having screen savers enabled. So, obviously it's overriding the disabled policies.

Simply right click the "Training and Conference Room Machines" OU and make it "Block Inheritance". Perform Gpupdate /force and reboot the machine. Check the issue and see it's getting the correct policy applied?
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 40337662
I'm gonna have to disagree with radhakrishan on this one.. generally the policies at the root will not override policies applied at the child levels unless the ones at the top are enforced. I wouldn't use block inheritance unless explicitly required.

So one thing about Screensavers/Desktop settings that I've found is that the USER settings work better than the COMPUTER settings. That means:

1) Your default screensaver settings should be a USER policy and be applied at the top level OU where the users are
2) Your training screensaver settings should be a USER policy (which you look live you've configured) and applied to the TRAINING Computers OU
3) In that Training OU, create a new policy where all it has in it is loopback processing enabled (this makes it easier for you to identify what OUs have loopback enabled vs digging into the GPO).

Also - try doing a merge instead of a replace and see what happens.

This should (in theory) make it so that any user that logs on a training computer gets the "no screensaver", but does not affect any machines outside that OU.

Either way, try making sure you are configured as above, and then log on a training workstation and run a gpresult or a RSoP and see what policies are applied (and at what inheritance order).
Check the links below to make sure you've configured loopback properly.. it can be a little tricky.

"2.Merge mode applies GPOs linked to the user object first, followed by GPOs with user settings linked to the computer object.
◦The order of processing determines the precedence. GPOs with users settings linked to the computer object apply last and therefore have a higher precedence than those linked to the user object.
◦Use merge mode in scenarios where you need users to receive the settings they normally receive, but you want to customize or make changes to those settings when they logon to specific computers.

3.Replace mode completely skips Group Policy objects linked in the path of the user and only applies user settings in GPOs linked in the path of the computer.  
Use replace mode when you need to disregard all GPOs that are linked in the path of the user object."

http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question