asked on 9/1/2021

GPO Loopback processing

i have a couple of computers that are not processing a loopback policy that i created and I am not sure why.

I have a screensaver policy that kicks in after 5 minutes and its password protected (this gpo is fine)

I then have a couple of computers that need to have that disabled. In the past, i setup a loopback to replace the GPO and disable the password protection.

It doesnt work for some reason, RSOP is still reading the screensaver policy when it should read the local security policy instead.

Thoughts?

Security Group Policy Active Directory

Last Comment

Robert

9/2/2021

Andrew Porter

9/1/2021

Hmmmm....Dumb question - is the policy set in the correct position in the hierarchy?

Aaron Goodman

9/1/2021

ASKER

the GPO is on the domain level but i dont think that would matter since I am trying to loop a local security policy (replace)

Jeff Glover

9/1/2021

OK, not sure I follow either. You put the loopback setting in the Local Policy but have the GPO with the screensaver policy at the domain level? Or do I have it backwards?

Aaron Goodman

9/1/2021

ASKER

that is correct. Loopback is on the local security policy and the GPO that the local security policy is supposed override is on the domain level.

kevinhsieh

9/1/2021

I would use a GPO to enable loopback policy. You then need a GPO at a more specific point (lower than at the domain) to overwrite the domain screensaver policy. Enabling loopback doesn't block policies.
This isn't any different than having a domain GPO to enable screensaver, and then having another GPO on an OU to have a different screensaver policy for the users in that OU.

Jeff Glover

9/1/2021

In my experience, Local policies are pretty useless when you are using Group Policies. I do not know of a way to set them to No-Override so the Domain policy will always overwrite it. Policies are applied in this order. Local - Site - Domain - OUs in descending order.
If you set a policy setting locally and then set the same policy setting in a Group Policy object that applies to the OU (either the user or computer) than it will be overwritten in my experience. However, someone else may have know a way around this. I never use Local policies

Robert

9/1/2021

I agree with Jeff, local policies will not override a GPO and re somewhat pointless in a domain environment.
If it worked that way anyone with admin rights on the PC could prevent policies from properly applying, for example
the domain admin creates a GPO that forces a screensaver lock screen after 600 seconds (for security reasons) any admin on the local PC could just create a local policy that overrode it and prevent it from locking their PC. This would be a major audit issue if it worked that way.

Andrew Porter

9/1/2021

Maybe go back to the original problem and address is a different way. It sounds like you have some workstations that need an exception to the screensaver policy. Instead of creating a loopback policy, why not create another GPO that disables the screensaver and apply it after the original policy in the hierarchy?

Aaron Goodman

9/1/2021

ASKER

i totally get all the points. the reason i setup a loopback for the local security policy is to apply different screensaver settings on a couple of pc's. It was my understanding that the loopback kicks in after all of the GPO's are applied therefore it should overwrite the screen saver policy.

Is there another way to do this? with security filtering perhaps? There are like 3 computers that i dont want to apply the gpo too. I dont want to move them into a seperate OU each time.

kevinhsieh

9/1/2021

You need a new GPO to apply a different screen saver policy. You can use security filtering on the GPO to limit the machines that it applies to. Also apply loopback processing in same GPO so that the screensaver settings can get applied.

ASKER CERTIFIED SOLUTION

Robert

9/2/2021

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial