Looking for some hand holding to create a simple Group Policy on Windows Server 2012 Essentials

Hi all,
Over last 5 years, I've never really used Group Policies with my small business servers but I now have a need for it and I'd like to get some help from the experts here as opposed to picking through a thousand options on Google.

We have a Server 2012 Essentials machine.
I'd like to have a policy to lock "SOME" of the computers with screensaver after 5 minutes.
I have found a lot of info on the settings for that.
Where I struggle is the BEST way to implement the policies.

Can someone help me understand the best way to:
1. Create sub-groups of users or computers
2. Apply this simple policy to only one of the groups

*** I realize I could do a lot of research and figure this out re: google but the reason I pay for EE is to get direct help from the experts.

Thanks in advance!!
rheideAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
You have two options. If the machines can be logically grouped together, you can put the machines into a new OU and then apply the GPO to that OU. If you can't logically group the machines together because the list of machines is more arbitrary thats what works on an organizational chart, you can create a new group and limit the GPO to that group. For example, create a new domain local group called "screen lock 5 minutes GPO", and put all of the machines that you want to have the GPO into that group. Link your GPO to the top of the domain, and limit the application of the GPO to just the group.
https://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx

Now, there is an additional complication. Screen saver is a user setting, not a computer setting. Therefore, if you want it to apply to a group of computers (as opposed to users), you also need to enable group policy loopback processing with merge on the computers. Do with with another GPO. https://technet.microsoft.com/en-us/library/cc782810%28v=ws.10%29.aspx
0
btanExec ConsultantCommented:
better to group those "SOME" computer under a OU group - they are considered the restricted machine since you likely want to enforce based on machine rather than users. In other words, the policy mandate is on mandate and not the user per se. Otherwise if it is intended for user then go for OU consisting those users. I see it more of machine for a start.

See this example - http://kudratsapaev.blogspot.co.uk/2009/07/loopback-processing-of-group-policy.html
e.g. The computer OU (in Green) takes precedence over User OU (in Red)
Now let’s enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied ... the User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.
Indeed the loopback enabling is important as advised by expert too. Preferably we go for Merge mode instead. Any conflict btw two OU policy will be sorted out as again stated
In Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in our scenario, in case of the conflict the User Configuration 2 would be enforced.

As for the policy per se, that is easily available as per below
Computer Configuration
  >Policies
    >Administrative Templates
      >System/Group Policy
Policy						Setting
User Group Policy loopback processing mode	Enabled  
Mode: Merge 

User Configuration
  >Policies
    >Administratove Templates
      >Control Panel/Personalization

Policy 						Setting 
Enable screen saver 				Enabled  
Force specific screen saver 			Enabled  
Screen saver executable name
	scrnsave.scr
Password protect the screen saver 		Enabled  
Screen saver timeout 				Enabled  
Number of seconds to wait to enable the screen saver 	
	Seconds: <some_integer>

Open in new window

https://www.petri.com/forums/forum/microsoft-networking-services/gpo/64853-deploying-screen-savers-using-gpo?p=436765#post436765

Requirement is the machine is domain joined and user are not having administrative right, otherwise it is going to be headache enforcement using GPO. The latter is to be central enforcement, for standalone, it is to be local policy per se ...by default manual ...
0
rheideAuthor Commented:
All - I'm still reading through the GREAT info you have provided. Thank you so much.

If I said we could manage this by user instead, I'm assuming it would make things MUCH easier - is that the consensus?

Thanks!!!
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

btanExec ConsultantCommented:
I see no harm if the policy is User centric but as always have a OU for test group as well prior to wide deployment - that is the practice typically. you can still create both OU type and try out the use cases still.. Go simple and not rush through without thorough testing and acceptance first by IT and OPS teams
0
kevinhsiehCommented:
If you can apply the policy to users instead of computers it will be simpler because you won't need to worry about loopback processing. You will still need to create an OU or security group, add users to the OU or security group, apply and test the GPO. Simplest way is to create an OU for the test user, move user to the OU, and then create / apply the GPO to that OU.
0
btanExec ConsultantCommented:
indeed as the link shared w/o loopback enabled initially
As we can see from the picture, the User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.