Chris Millard
asked on
Domain group policies not behaving as I expected
I have various domain group policies at the domain level. One is called "lockup" and has the following settings:-
Computer Configuration - nothing defined
User Configuration:-
Policies->Admin Templates->Control Panel/Personalization:-
Enable Screen Saver = Enabled
Force Specific Screensaver = Enabled (%windir%\system32\rundll3 2.exe user32.dll,LockWorkStation )
Password Protect The Screensaver = Enabled
Screensaver Timeout = Enabled (300 seconds)
This group policy is enforced and security filtering is to a group called MYDOMAIN\Lockdown
I have another group policy called "Marketing Exhibition" with the following settings:-
Computer Configuration:-
Policies->Admin Templates->System/Group Policy:-
User Group Policy loopback processing mode = Enabled (Replace)
User Configuration:-
Policies->Admin Templates->Control Panel/Personalization:-
Enable Screen Saver = Disabled
Force Specific Screensaver = Disabled
Password Protect The Screensaver = Disabled
Screensaver Timeout = Disabled
This policy is enforced and security filtering is set to "MYDOMAIN\Domain Users", "CNB00287$ (MYDOMAIN\CNB00287)"
If any member of group MYDOMAIN\Lockdown logs on to any domain machine after 5 minutes, their screen locks to the CTRL-ALT-DEL prompt and requires a password.
The machine CNB00287 sometimes gets taken and used at exhibitions, and regardless of who logs on to it, it should NOT lock up. However, my group policy "Marketing Exhibition" doesn't seem to be working at all.
When I run RSoP on CNB00287 against any domain user, the settings show that the "Lockdown" policy is in force.
Can someone please advise what I am missing?
Computer Configuration - nothing defined
User Configuration:-
Policies->Admin Templates->Control Panel/Personalization:-
Enable Screen Saver = Enabled
Force Specific Screensaver = Enabled (%windir%\system32\rundll3
Password Protect The Screensaver = Enabled
Screensaver Timeout = Enabled (300 seconds)
This group policy is enforced and security filtering is to a group called MYDOMAIN\Lockdown
I have another group policy called "Marketing Exhibition" with the following settings:-
Computer Configuration:-
Policies->Admin Templates->System/Group Policy:-
User Group Policy loopback processing mode = Enabled (Replace)
User Configuration:-
Policies->Admin Templates->Control Panel/Personalization:-
Enable Screen Saver = Disabled
Force Specific Screensaver = Disabled
Password Protect The Screensaver = Disabled
Screensaver Timeout = Disabled
This policy is enforced and security filtering is set to "MYDOMAIN\Domain Users", "CNB00287$ (MYDOMAIN\CNB00287)"
If any member of group MYDOMAIN\Lockdown logs on to any domain machine after 5 minutes, their screen locks to the CTRL-ALT-DEL prompt and requires a password.
The machine CNB00287 sometimes gets taken and used at exhibitions, and regardless of who logs on to it, it should NOT lock up. However, my group policy "Marketing Exhibition" doesn't seem to be working at all.
When I run RSoP on CNB00287 against any domain user, the settings show that the "Lockdown" policy is in force.
Can someone please advise what I am missing?
ASKER
Yes they are part of the domain users group. However, the marketing users ARE also part of the domain members group, and when they log on to their regular desktops, the lockdown policy needs to be enforced which is why I was trying to set the Security Filtering to Domain Users and CNB00287$ with the loopback processing.
The best way I can think of right now is to create a separate exhibition user and have that user receive an user policy without lockdown. Unless somebody else has a better idea.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Denying the policy to CNB00287 worked, however RSoP was reporting on the profile from the time that the user last logged on. I had to get the user to logon again after making the changes so that the user policy took effect.
The way to work around that is to add a security group that all normal members are part of except for the Marketing Exhibition users.