Solved

Group policy link order

Posted on 2014-11-26
4
194 Views
Last Modified: 2015-01-09
I have a screen saver USER timeout set on default domain policy to 15min. This is inherited and applies to all users.
User accounts are in Staff OU
Workstation accounts are in Workstation OU
Server accounts are in Server OU

I want to set a different timeout to the same staff but to apply to servers only.
So when they login to their workstation its 15min, but same user on a server its 30min.

The issue here is that the timeout is a USER setting so putting it on my server group policy does not work because the users are not located in that OU, only server computer accounts are.
Putting it in the staff OU will apply to all staff but to all computers that staff logs into, workstation and server.
This is pointless since I already have it in default group policy and I don't want this.

unlike preferences this gpo setting doesn't have item level targeting.
So how do I enforce 2 different user settings to all users but on 2 different computer types?
1.The most common issue seen with Group Policy is a setting not being applied. The first place to check is the Scope Tab on the Group Policy Object (GPO). If you are configuring a computer side setting, make sure the GPO is linked to the Organization Unit (OU) that contains the computer. If the GPO configures a user side setting, it needs to be linked to the OU containing the correct user. Remember, GPOs cannot be linked to an OU that just contains security groups. You can use this PowerShell script to optimize your GPO links and ensure that they are properly linked.  

DCs are all win 2012, pcs are win 7, servers are 2008R2 and 2012.

Thanks
0
Comment
Question by:baysysadmin
  • 2
4 Comments
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40467798
use wmi filtering instead   for servers
select * from Win32_OperatingSystem where ProductType="2" or ProductType="3"
fpr desktops
select * from Win32_OperatingSystem where ProductType="1"
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40467806
Or loopback processing, since it'll apply to all staff.
0
 

Author Comment

by:baysysadmin
ID: 40467835
Ive never used WMI filters.

The default name space was root\CIMv2 so I used that.

Ive applied the filter to my server GPO but this wont help me since the setting is USER based.

Does that mean in order to make this work I need 2 STAFF GPOs,  one with Server filter the other with workstation filter.
And then move remove the timeout USER setting from default domain policy and put it in the staff policy 1 and 2?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40467901
Yes that is correct.
0

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now