asked on Group Policy not blocking inheritance
I created a screen lockout policy for our domain. I have an OU set up for our Internet cafe since I do not want the computers in the cafe to have the same settings as the computers used by staff (Inheritance is blocked for this OU in Group Policy Management). The computers in the Internet cafe have the screen lockout policy applied to them even though inheritance is blocked and GPM does not show the screen lockout policy being inherited by the OU. What am I missing here? Thanks!
Active DirectoryWindows Server 2012IT Administration
Last Comment
Stephen Andrews
ASKER
It is being applied under user configuration. Do I apply the loopback policy processing on the local GP of the machines that are affected? Thanks!
You can. It would be better to set it in a GPO linked to the comptuer's OU. See this guide on configuring loopback: https://deployhappiness.co
ASKER
I created the policy to enable loopback processing for the OU that the cafe computers are part of (loopback processing enabled, replace). I restarted the computers in the cafe and the screens still lock from the prior policy :-(
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Loopback is enabled and set to replace. I even restarted the machines a 2nd time.
Do you have this screen lockout policy linked to the computer OU or any higher ou?
ASKER
The lockout policy applies to the domain. When we decided to create a screen lockout policy for staff I created an OU for the cafe computers (my predecessor did not have any OUs set up) and set the OU to block inheritance. When I checked the computers under the OU for the cafe I see the loopback processing object was inherited.
Do you have the GPO enforced (lock symbol next to the link)? If so, unenforce it.
ASKER
The GPO is not enforced. I read that "enforced" overrides "block inheritance" All of our GPOs are set to "link enabled" and none to "enforced" This is very baffling.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Not sure what was causing the issue but I did finally get it to stop. We use one general login for the cafe computers and then customers use a program installed on the computer to access the computer. I moved that general login user to the Users OU of the cafe's OU and the issue has stopped (since the cafe OU blocks inheritance of any other GPOs.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Adam Brown - " if Loopback was enabled on the policy" Am I adding Loopback to the current policy or creating a separate Loopback policy? I created a separate Loopback policy for the cafe OU. Are you saying I'm supposed to add Loopback to the screen lockout policy which means it has both user and computer configurations?
You may want to look at enable loopback policy processing in replace mode for these machines. It provides a consistent user experience no matter where users are located.