baysysadmin
asked on
Group policy link order
I have a screen saver USER timeout set on default domain policy to 15min. This is inherited and applies to all users.
User accounts are in Staff OU
Workstation accounts are in Workstation OU
Server accounts are in Server OU
I want to set a different timeout to the same staff but to apply to servers only.
So when they login to their workstation its 15min, but same user on a server its 30min.
The issue here is that the timeout is a USER setting so putting it on my server group policy does not work because the users are not located in that OU, only server computer accounts are.
Putting it in the staff OU will apply to all staff but to all computers that staff logs into, workstation and server.
This is pointless since I already have it in default group policy and I don't want this.
unlike preferences this gpo setting doesn't have item level targeting.
So how do I enforce 2 different user settings to all users but on 2 different computer types?
DCs are all win 2012, pcs are win 7, servers are 2008R2 and 2012.
Thanks
User accounts are in Staff OU
Workstation accounts are in Workstation OU
Server accounts are in Server OU
I want to set a different timeout to the same staff but to apply to servers only.
So when they login to their workstation its 15min, but same user on a server its 30min.
The issue here is that the timeout is a USER setting so putting it on my server group policy does not work because the users are not located in that OU, only server computer accounts are.
Putting it in the staff OU will apply to all staff but to all computers that staff logs into, workstation and server.
This is pointless since I already have it in default group policy and I don't want this.
unlike preferences this gpo setting doesn't have item level targeting.
So how do I enforce 2 different user settings to all users but on 2 different computer types?
1.The most common issue seen with Group Policy is a setting not being applied. The first place to check is the Scope Tab on the Group Policy Object (GPO). If you are configuring a computer side setting, make sure the GPO is linked to the Organization Unit (OU) that contains the computer. If the GPO configures a user side setting, it needs to be linked to the OU containing the correct user. Remember, GPOs cannot be linked to an OU that just contains security groups. You can use this PowerShell script to optimize your GPO links and ensure that they are properly linked.
DCs are all win 2012, pcs are win 7, servers are 2008R2 and 2012.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cliff Galiher
Or loopback processing, since it'll apply to all staff.
ASKER
Ive never used WMI filters.
The default name space was root\CIMv2 so I used that.
Ive applied the filter to my server GPO but this wont help me since the setting is USER based.
Does that mean in order to make this work I need 2 STAFF GPOs, one with Server filter the other with workstation filter.
And then move remove the timeout USER setting from default domain policy and put it in the staff policy 1 and 2?
The default name space was root\CIMv2 so I used that.
Ive applied the filter to my server GPO but this wont help me since the setting is USER based.
Does that mean in order to make this work I need 2 STAFF GPOs, one with Server filter the other with workstation filter.
And then move remove the timeout USER setting from default domain policy and put it in the staff policy 1 and 2?
Yes that is correct.