Solved

Issue with GPO Applying Correctly

Posted on 2014-09-22
2
217 Views
Last Modified: 2014-09-23
Please see attached document for settings and structure. I need to disable the screensaver on all my conference room PC's, I I have a GPO the has both Computer settings and Users settings defined. My main user settings policy has only User Settings defined. I've tried Loopback with replace, but it completely replaces all User Settings with the Training GPO settings. I've tried merge, but it does not disable the screensaver. Any suggestions would be great.
C--Folder-Directory-GPO-Structure.docx
0
Comment
Question by:cornfedkiller
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 21

Expert Comment

by:RK
ID: 40336821
Hi,

I appears that the disable policies are override by other policies. Ie - There are few OU's just above the Training and conference room machines. So, those polices are having screen savers enabled. So, obviously it's overriding the disabled policies.

Simply right click the "Training and Conference Room Machines" OU and make it "Block Inheritance". Perform Gpupdate /force and reboot the machine. Check the issue and see it's getting the correct policy applied?
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 40337662
I'm gonna have to disagree with radhakrishan on this one.. generally the policies at the root will not override policies applied at the child levels unless the ones at the top are enforced. I wouldn't use block inheritance unless explicitly required.

So one thing about Screensavers/Desktop settings that I've found is that the USER settings work better than the COMPUTER settings. That means:

1) Your default screensaver settings should be a USER policy and be applied at the top level OU where the users are
2) Your training screensaver settings should be a USER policy (which you look live you've configured) and applied to the TRAINING Computers OU
3) In that Training OU, create a new policy where all it has in it is loopback processing enabled (this makes it easier for you to identify what OUs have loopback enabled vs digging into the GPO).

Also - try doing a merge instead of a replace and see what happens.

This should (in theory) make it so that any user that logs on a training computer gets the "no screensaver", but does not affect any machines outside that OU.

Either way, try making sure you are configured as above, and then log on a training workstation and run a gpresult or a RSoP and see what policies are applied (and at what inheritance order).
Check the links below to make sure you've configured loopback properly.. it can be a little tricky.

"2.Merge mode applies GPOs linked to the user object first, followed by GPOs with user settings linked to the computer object.
◦The order of processing determines the precedence. GPOs with users settings linked to the computer object apply last and therefore have a higher precedence than those linked to the user object.
◦Use merge mode in scenarios where you need users to receive the settings they normally receive, but you want to customize or make changes to those settings when they logon to specific computers.

3.Replace mode completely skips Group Policy objects linked in the path of the user and only applies user settings in GPOs linked in the path of the computer.  
Use replace mode when you need to disregard all GPOs that are linked in the path of the user object."

http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question