Aaron Goodman
asked on
GPO Loopback processing
i have a couple of computers that are not processing a loopback policy that i created and I am not sure why.
I have a screensaver policy that kicks in after 5 minutes and its password protected (this gpo is fine)
I then have a couple of computers that need to have that disabled. In the past, i setup a loopback to replace the GPO and disable the password protection.
It doesnt work for some reason, RSOP is still reading the screensaver policy when it should read the local security policy instead.
Thoughts?
Hmmmm....Dumb question - is the policy set in the correct position in the hierarchy?
ASKER
the GPO is on the domain level but i dont think that would matter since I am trying to loop a local security policy (replace)
OK, not sure I follow either. You put the loopback setting in the Local Policy but have the GPO with the screensaver policy at the domain level? Or do I have it backwards?
ASKER
that is correct. Loopback is on the local security policy and the GPO that the local security policy is supposed override is on the domain level.
I would use a GPO to enable loopback policy. You then need a GPO at a more specific point (lower than at the domain) to overwrite the domain screensaver policy. Enabling loopback doesn't block policies.
This isn't any different than having a domain GPO to enable screensaver, and then having another GPO on an OU to have a different screensaver policy for the users in that OU.
This isn't any different than having a domain GPO to enable screensaver, and then having another GPO on an OU to have a different screensaver policy for the users in that OU.
In my experience, Local policies are pretty useless when you are using Group Policies. I do not know of a way to set them to No-Override so the Domain policy will always overwrite it. Policies are applied in this order. Local - Site - Domain - OUs in descending order.
If you set a policy setting locally and then set the same policy setting in a Group Policy object that applies to the OU (either the user or computer) than it will be overwritten in my experience. However, someone else may have know a way around this. I never use Local policies
If you set a policy setting locally and then set the same policy setting in a Group Policy object that applies to the OU (either the user or computer) than it will be overwritten in my experience. However, someone else may have know a way around this. I never use Local policies
I agree with Jeff, local policies will not override a GPO and re somewhat pointless in a domain environment.
If it worked that way anyone with admin rights on the PC could prevent policies from properly applying, for example
the domain admin creates a GPO that forces a screensaver lock screen after 600 seconds (for security reasons) any admin on the local PC could just create a local policy that overrode it and prevent it from locking their PC. This would be a major audit issue if it worked that way.
If it worked that way anyone with admin rights on the PC could prevent policies from properly applying, for example
the domain admin creates a GPO that forces a screensaver lock screen after 600 seconds (for security reasons) any admin on the local PC could just create a local policy that overrode it and prevent it from locking their PC. This would be a major audit issue if it worked that way.
Maybe go back to the original problem and address is a different way. It sounds like you have some workstations that need an exception to the screensaver policy. Instead of creating a loopback policy, why not create another GPO that disables the screensaver and apply it after the original policy in the hierarchy?
ASKER
i totally get all the points. the reason i setup a loopback for the local security policy is to apply different screensaver settings on a couple of pc's. It was my understanding that the loopback kicks in after all of the GPO's are applied therefore it should overwrite the screen saver policy.
Is there another way to do this? with security filtering perhaps? There are like 3 computers that i dont want to apply the gpo too. I dont want to move them into a seperate OU each time.
Is there another way to do this? with security filtering perhaps? There are like 3 computers that i dont want to apply the gpo too. I dont want to move them into a seperate OU each time.
You need a new GPO to apply a different screen saver policy. You can use security filtering on the GPO to limit the machines that it applies to. Also apply loopback processing in same GPO so that the screensaver settings can get applied.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.