Policy loopback causes domain-level policies to reapply

From: "Kevin S. Forsyth" <Kevin S. Forsyth@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Apr 2005 11:31:06 -0700

Background:

We're using 2000 domain controllers in a mixed environment of 2000/2003
servers and 2000/XP desktops.

Our domain tree looks like this:

Domain container
|-- (Screen Saver Policy)
|-- Desktops
| `-- (Package Deployment Policy)
|-- Screensaver Disabled Users
| `-- (Screensaver Disabled Policy)
|-- Servers
|-- Users (default container)

Our computers are split between the Desktops and Servers OUs, depending on
their function. Our users are mostly in the Users default container, except
for a handful who are in the "Screensaver Disabled Users" OU.

What we're trying to do is deploy client tools to the desktop computers
during user login. We don't want these tools to install on servers, so we
placed the deployment policy under the Desktops OU. Since this policy
contains user-based settings under a computers-only OU, we turned on Loopback
for this policy. (This is the only to get it to go, right?)

The trouble is that this seems to come back around and reapply all the
policies from the domain on down to the Deployment policy. When this
happens, the "Screensave Disabled" users receive an overwrite of the
domain-wide Screensaver policy, which turns the screensaver back on for them.
Does this sound like normal operation?

Since the Users object is a default container, it can't have policies
applied directly to it. This is why the Screensaver policy is applied to the
domain. If necessary, I guess we could create a new Users OU and place all
our screensaver-enabled users in it, shifting the policy to that level -- but
we see this as a last resort to be done only if absolutely unavoidable. Is
there a way to prevent the domain-wide policies from being reapplied when
loopback is active on a single policy?

TIA for any help,

Kevin
.

Follow-Ups:
- Re: Policy loopback causes domain-level policies to reapply
  - From: Ken B

Prev by Date: Got it!
Next by Date: Group Policy XP Firewall
Previous by thread: Domain user can't change her password from a domain logon
Next by thread: Re: Policy loopback causes domain-level policies to reapply
Index(es):
- Date
- Thread

Relevant Pages

Re: Policy loopback causes domain-level policies to reapply
... to apply to all the desktops, so why not create the policy as a machine ... > servers and 2000/XP desktops. ... > Our computers are split between the Desktops and Servers OUs, ... > for a handful who are in the "Screensaver Disabled Users" OU. ...
(microsoft.public.win2000.group_policy)
Re: "computer locked" GPO
... there doesn't appear to be any policy set on the display or screen ... > If no policy in place, then go to Control Panel> Display> Screen Saver tab ... > * Password protect the screensaver ...
(microsoft.public.windows.server.general)
Re: Group Policy
... ScreenSavers (I created GPO) ... Default Domain Controllers Policy ... Ok and I created a global group in my domain and called it screensaver group ... GPO I gpedit and setup the screensaver settings and such and leave the ...
(microsoft.public.windows.server.active_directory)
Re: Screen Saver Policy
... We already implented a policy like that. ... All workstations use the default logon NT screensaver with a 15 min timeout. ...
(Security-Basics)
Re: Using GP to Log Off a User
... I tried doing that by setting the screensaver in Group ... Policy and then having the file sit on a central location ... >Enterprise Platforms Support ... >Directory Services Team ...
(microsoft.public.windows.group_policy)