Re: can't override screen saver policy

Settings in the User Configuration part of a GPO always apply to User
Accounts, not Computer Accounts, so any User Configuration settings you want
to apply must be in a GPO that applies to the User's Account, not the
Computer's Account.

If you acutally want some User Configuration settings applied ONLY when
users log on to specific computers, then enable Loopback processing in a GPO
that is applied to the OU containing those Computer Accounts and put the
User Configuration settings into a GPO that applies to that OU. See
http://support.microsoft.com/kb/231287/. Not that the User Configuration
part of a GPO processed by the Loopback feature are still applied to User
Accounts, but only when a (any) user logs on at the computers that GPO
applies to. Loopback processing does not actaully convert User
Configuration settings to Computer Configuration settings.

The best way (IMHO) is to establish an OU hierarchy/structure that reflects
how you want to manage things and how you want to apply GPOs. One of the
major features of AD is the ability to nest OUs and to change the OU
structure easily. Settings in GPOs applied at the lower levels in the
hierarchy (e.g. NeedScreenSaver in the example below) will take precedence
over corresponding settings applied higher in the heirarchy. Take advantage
of this feature to make your life easier. In particular, have seperate OU
hierarchies for User and Computer Accounts (as opposed to having the
computer accounts in an OU nested inside the Users OU).

E.g.
Domain
Computers - apply GPO that is to be applied to all computers here
NeedScreenSaver - apply GPO with Loopback and Screen Saver settings
here
Users - apply GPO that is to be applied to all users here
SpecialUsers - apply GPO that has settings specific to only some
(special) users
as opposed to
Domain
Computers
Users

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"dcompton" <dcompton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A1384096-7547-42B2-BEF0-BF17423A72F7@xxxxxxxxxxxxxxxx
>I am having the same issue and the original post. I have tried adding the
> setting at the OU level which is below the domain level, so that policy
> should be applied. However, it seems that this setting is a user setting.
> The users are in the user OU which is above the target computer OU. So
> they
> don't get this policy setting. I have also tried setting the permissions
> to
> allow access to only the specific machine accounts and that has no effect.
> It only seems to care about the user portion.
>
> Anyone have any ideas?
>
> DC
>
> "Ken B" wrote:
>
>> You're right in that the local policy gets applied first. The only thing
>> is
>> later settings in the L, S, D, Ou order 'win'. So your domain policy won
>> out over the local policy... and the domain wins.
>>
>> If you had a different policy on the OU, that one would win, provided
>> your
>> domain policy did not have "No override" or "Enforced" checked off.
>>
>> Easiest way I would think to get those computers to not apply the
>> screensaver policy would be to create a security group, add the computers
>> to
>> that group, and then give that group Deny permission to Read & Apply the
>> policy on the security tab of the policy itself. This way you can
>> add/remove/edit the list at your own whim, and you'll have a listing of
>> all
>> the computers that won't have that policy apply to them.
>>
>> HTH
>>
>> Ken
>>
>> <lee.james@xxxxxxxxxxxxx> wrote in message
>> news:1121956401.102170.315600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> > We've enabled a mandatory screen saver policy and applied it at the
>> > domain level - it works as it's supposed to.
>> >
>> > There's a handful of machines we don't want this policy to apply to,
>> > and we don't want to muck around with GP permissions, or create
>> > exception OU's, play with GP deny settings etc.
>> >
>> > We should just be able to specify a local policy to override (as local
>> > is first in order or precedence).
>> >
>> > However we can't get it to work. Clients are XP SP2.
>> >
>> > I specify the settings locally, log off and on, tried rebooting as well
>> > - but when I check the registry key
>> > HKCU\SW\policies\Microsoft\Windows\Control Panel\Desktop it keeps
>> > showing the entries from the domain policy.
>> >
>> > What gives?
>> >
>>
>>
>>


.

Relevant Pages

  • RE: Add trusted site to all computers
    ... I don't think the GPO will affect Windows 2000 computers. ... Add trusted site to all computers ... >settings not just the trusted site I was originally interested in adding. ...
    (microsoft.public.windows.server.sbs)
  • Re: cant override screen saver policy
    ... > Settings in the User Configuration part of a GPO always apply to User ... > users log on to specific computers, then enable Loopback processing in a GPO ... >> don't get this policy setting. ...
    (microsoft.public.win2000.group_policy)
  • Re: cant override screen saver policy
    ... Yes, I figured out that using loopback processing was the answer (Ok, I ... > Settings in the User Configuration part of a GPO always apply to User ... > users log on to specific computers, then enable Loopback processing in a GPO ...
    (microsoft.public.win2000.group_policy)
  • Re: Which Settings MUST be assigned to a User?
    ... specifically applied only to user accounts or computer accounts. ... HKEY_LOCAL_MASHINE values and user configuration modiefies the ... the settings in the User Configuration part ... GPO, with User Configuration settings in it, is applied. ...
    (microsoft.public.windows.group_policy)
  • Re: Proxy Settings
    ... A GPO is logically made up of two sections - Computer Configuration and User ... Settings under User Configuration affect user accounts the ...
    (microsoft.public.win2000.active_directory)