noclav
asked on
Removing a GPO for certain users
I have a GPO that automatically locks a workstation after 10 min of idle. Now certain users (owners) want it removed for their computers.
What is the correct way to achieve this?
What is the correct way to achieve this?
ASKER
Under security filtering i have Authenticated Users. Should i remove that and add a group with the users that i want the policy to be applied.
It also depends upon where you are applying the policy. I am assuming that your users are part of a domain. If your owner users are in a separate OU you can apply different policies at the individual OU levels or block inheritance if the policy is applied at a higher level.
Don't forget that if you block inheritance of group policy you have to add back in any policies you want to have apply to these users.
Don't forget that if you block inheritance of group policy you have to add back in any policies you want to have apply to these users.
ASKER
The users are all part of a domain in a separate OU called Company Users. The policy is already applied i need to remove it for certain users. Also it a USER Policy not a computer.
Under security filtering i have Authenticated Users. Should i remove that and add a group with the users that i want the policy to be applied.
Yes.
ASKER
From my understanding if i do that the policy will not automatically remove from the users not on that group. Or did Microsoft fix that.
Can you post exact policy that you have configured?
ASKER
User Configuration (Enabled)
Policies
>Administrative Templates
>Policy definitions (ADMX files) retrieved from the local computer.
Control Panel/Personalization
Policy Setting Comment
Enable screen saver Enabled
Force specific screen saver Enabled rundll32 user32.dll,LockWorkStation
Screen saver executable name rundll32 user32.dll,LockWorkStation
Policy Setting Comment
Password protect the screen saver Enabled
Screen saver timeout Enabled
Number of seconds to wait to enable the screen saver
Seconds: 600
Policies
>Administrative Templates
>Policy definitions (ADMX files) retrieved from the local computer.
Control Panel/Personalization
Policy Setting Comment
Enable screen saver Enabled
Force specific screen saver Enabled rundll32 user32.dll,LockWorkStation
Screen saver executable name rundll32 user32.dll,LockWorkStation
Policy Setting Comment
Password protect the screen saver Enabled
Screen saver timeout Enabled
Number of seconds to wait to enable the screen saver
Seconds: 600
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the permission settings. Are you referencing to the Delegation tab?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
THanks its the same from the delegation tab. That part is done. Now will the policy go back to default on the users that had it originally enabled or do i need to delete reg keys?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- Toni Uranjek (https:#a42257268)
-- Toni Uranjek (https:#a42260429)
-- Shaun Vermaak (https:#a42257284)
-- Shaun Vermaak (https:#a42257585)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- Toni Uranjek (https:#a42257268)
-- Toni Uranjek (https:#a42260429)
-- Shaun Vermaak (https:#a42257284)
-- Shaun Vermaak (https:#a42257585)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
Either way, use "Security filtering" and use DENY "Apply Group Policy" to group of user/computer accounts.