IT _Admin0723
asked on
Network security: Force logoff when logon hours expire Setting GPO
Hello Experts,
Is the following Local Policies/Security Options group policy as listed below need to be only set/must be set at the "Default Domain Policy" GPO and not in any other GPO? I am curious because we have this in our Default Domain Policy gpo as 'disabled' and 'enabled' in a GPO that is linked to our Domain Controllers OU. When I run secpol.msc on the domain controller itself, it is showing this option as 'disabled' (same setting as the default domain policy) AND 'not configured' when I run an RSOP on the domain controller.
GPO:
Computer Configuration -> Window Settings -> Security Settings -> Local Policies - Security Options -> Network security: Force logoff when logon hours expire
Can someone please shed some light?
Thank you!
Is the following Local Policies/Security Options group policy as listed below need to be only set/must be set at the "Default Domain Policy" GPO and not in any other GPO? I am curious because we have this in our Default Domain Policy gpo as 'disabled' and 'enabled' in a GPO that is linked to our Domain Controllers OU. When I run secpol.msc on the domain controller itself, it is showing this option as 'disabled' (same setting as the default domain policy) AND 'not configured' when I run an RSOP on the domain controller.
GPO:
Computer Configuration -> Window Settings -> Security Settings -> Local Policies - Security Options -> Network security: Force logoff when logon hours expire
Can someone please shed some light?
Thank you!
Secpol.msc shows the local security policy settings. These policies apply only if there is no GPO that has a different setting assigned to the OU the system is located in. If you are seeing "Not configured" in the RSOP.msc, the Local Policy setting of Disabled would apply (RSOP doesn't read Secpol settings, so isn't 100% reliable here). In regard to the GPO linked to the Domain Controllers OU, make sure it's got the domain controllers group listed in the security filtering, not domain computers (Domain Controllers are not members of the Domain Computers group).
You need to also check computer configuration properties in rsop.msc and under filtering status after checking on the second option which say something like show filtering status ....see whats the status of ddc gpo
The last GP applied may have precedence?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Provided my own answer.