Solved

Domain group policies not behaving as I expected

Posted on 2015-01-23
5
134 Views
Last Modified: 2015-01-26
I have various domain group policies at the domain level. One is called "lockup" and has the following settings:-

Computer Configuration - nothing defined
User Configuration:-
Policies->Admin Templates->Control Panel/Personalization:-
Enable Screen Saver = Enabled
Force Specific Screensaver = Enabled (%windir%\system32\rundll32.exe user32.dll,LockWorkStation)
Password Protect The Screensaver = Enabled
Screensaver Timeout = Enabled (300 seconds)

This group policy is enforced and security filtering is to a group called MYDOMAIN\Lockdown

I have another group policy called "Marketing Exhibition" with the following settings:-

Computer Configuration:-
Policies->Admin Templates->System/Group Policy:-
User Group Policy loopback processing mode = Enabled (Replace)
User Configuration:-
Policies->Admin Templates->Control Panel/Personalization:-
Enable Screen Saver = Disabled
Force Specific Screensaver = Disabled
Password Protect The Screensaver = Disabled
Screensaver Timeout = Disabled

This policy is enforced and security filtering is set to "MYDOMAIN\Domain Users", "CNB00287$ (MYDOMAIN\CNB00287)"

If any member of group MYDOMAIN\Lockdown logs on to any domain machine after 5 minutes, their screen locks to the CTRL-ALT-DEL prompt and requires a password.

The machine CNB00287 sometimes gets taken and used at exhibitions, and regardless of who logs on to it, it should NOT lock up. However, my group policy "Marketing Exhibition" doesn't seem to be working at all.

When I run RSoP on CNB00287 against any domain user, the settings show that the "Lockdown" policy is in force.

Can someone please advise what I am missing?
0
Comment
Question by:Chris Millard
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:DrAtomic
ID: 40566099
Is the user logging on to CNB00287 a member of the domain? If so that user is part of the Domain Users group and thus receives the User policy.

The way to work around that is to add a security group that all normal members are part of except for the Marketing Exhibition users.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40566117
Yes they are part of the domain users group. However, the marketing users ARE also part of the domain members group, and when they log on to their regular desktops, the lockdown policy needs to be enforced which is why I was trying to set the Security Filtering to Domain Users and CNB00287$ with the loopback processing.
0
 
LVL 7

Expert Comment

by:DrAtomic
ID: 40566150
The best way I can think of right now is to create a separate exhibition user and have that user receive an user policy without lockdown. Unless somebody else has a better idea.
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 40566559
Apply Deny to the Read permission of the Lockdown policy for the CNB00287$ computer account.

1. In Group Policy Management Console, select the policy and go to the delegation tab.

Capture.JPG

2. Click the 'Add...' button

Capture.JPG

3. Change the Object Types to include computer accounts.

Capture.JPGCapture.JPG

4. Locate or search for the computer account in question.

5. Modify the permissions for the newly added delegate.

Click on the 'Advanced...' button.  Locate the delegate you just added, and change the Read permission to Deny.Capture.JPG
-saige-
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 40570261
Denying the policy to CNB00287 worked, however RSoP was reporting on the profile from the time that the user last logged on. I had to get the user to logon again after making the changes so that the user policy took effect.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question