Solved

Group policy link order

Posted on 2014-11-26
4
203 Views
Last Modified: 2015-01-09
I have a screen saver USER timeout set on default domain policy to 15min. This is inherited and applies to all users.
User accounts are in Staff OU
Workstation accounts are in Workstation OU
Server accounts are in Server OU

I want to set a different timeout to the same staff but to apply to servers only.
So when they login to their workstation its 15min, but same user on a server its 30min.

The issue here is that the timeout is a USER setting so putting it on my server group policy does not work because the users are not located in that OU, only server computer accounts are.
Putting it in the staff OU will apply to all staff but to all computers that staff logs into, workstation and server.
This is pointless since I already have it in default group policy and I don't want this.

unlike preferences this gpo setting doesn't have item level targeting.
So how do I enforce 2 different user settings to all users but on 2 different computer types?
1.The most common issue seen with Group Policy is a setting not being applied. The first place to check is the Scope Tab on the Group Policy Object (GPO). If you are configuring a computer side setting, make sure the GPO is linked to the Organization Unit (OU) that contains the computer. If the GPO configures a user side setting, it needs to be linked to the OU containing the correct user. Remember, GPOs cannot be linked to an OU that just contains security groups. You can use this PowerShell script to optimize your GPO links and ensure that they are properly linked.  

DCs are all win 2012, pcs are win 7, servers are 2008R2 and 2012.

Thanks
0
Comment
Question by:baysysadmin
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40467798
use wmi filtering instead   for servers
select * from Win32_OperatingSystem where ProductType="2" or ProductType="3"
fpr desktops
select * from Win32_OperatingSystem where ProductType="1"
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40467806
Or loopback processing, since it'll apply to all staff.
0
 

Author Comment

by:baysysadmin
ID: 40467835
Ive never used WMI filters.

The default name space was root\CIMv2 so I used that.

Ive applied the filter to my server GPO but this wont help me since the setting is USER based.

Does that mean in order to make this work I need 2 STAFF GPOs,  one with Server filter the other with workstation filter.
And then move remove the timeout USER setting from default domain policy and put it in the staff policy 1 and 2?
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40467901
Yes that is correct.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question