Re: can't override screen saver policy

Do you have any policy later in the precedence that says Loopback Processing
= Disabled ? That would be the only thing I could think of that would
explain the behavior.

Ken

<lee.james@xxxxxxxxxxxxx> wrote in message
news:1122398002.779863.111890@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi Bruce,
>
> Yes, I figured out that using loopback processing was the answer (Ok, I
> ended up calling MS support). I created a seperate OU that had loopback
> processing applied and put the particular systems in the OU. That now
> works fine.
>
> However, what I can't understand and MS can't seem to explain, is why I
> can't enable loopback processing on the local policy of the problem
> systems instead of having to do it at the OU level?
>
> MS keeps saying the order or precedence is the reason, but as I
> understand it, the local gets 'read' first, tells that it's using
> loopback processing - which should then tell it to ignore the user
> settings at the site level, domain level, ou level etc.
>
> J.
>
> Bruce Sanderson wrote:
>> Settings in the User Configuration part of a GPO always apply to User
>> Accounts, not Computer Accounts, so any User Configuration settings you
>> want
>> to apply must be in a GPO that applies to the User's Account, not the
>> Computer's Account.
>>
>> If you acutally want some User Configuration settings applied ONLY when
>> users log on to specific computers, then enable Loopback processing in a
>> GPO
>> that is applied to the OU containing those Computer Accounts and put the
>> User Configuration settings into a GPO that applies to that OU. See
>> http://support.microsoft.com/kb/231287/. Not that the User Configuration
>> part of a GPO processed by the Loopback feature are still applied to User
>> Accounts, but only when a (any) user logs on at the computers that GPO
>> applies to. Loopback processing does not actaully convert User
>> Configuration settings to Computer Configuration settings.
>>
>> The best way (IMHO) is to establish an OU hierarchy/structure that
>> reflects
>> how you want to manage things and how you want to apply GPOs. One of the
>> major features of AD is the ability to nest OUs and to change the OU
>> structure easily. Settings in GPOs applied at the lower levels in the
>> hierarchy (e.g. NeedScreenSaver in the example below) will take
>> precedence
>> over corresponding settings applied higher in the heirarchy. Take
>> advantage
>> of this feature to make your life easier. In particular, have seperate
>> OU
>> hierarchies for User and Computer Accounts (as opposed to having the
>> computer accounts in an OU nested inside the Users OU).
>>
>> E.g.
>> Domain
>> Computers - apply GPO that is to be applied to all computers here
>> NeedScreenSaver - apply GPO with Loopback and Screen Saver settings
>> here
>> Users - apply GPO that is to be applied to all users here
>> SpecialUsers - apply GPO that has settings specific to only some
>> (special) users
>> as opposed to
>> Domain
>> Computers
>> Users
>>
>> --
>> Bruce Sanderson MVP Printing
>> http://members.shaw.ca/bsanders
>>
>> It is perfectly useless to know the right answer to the wrong question.
>>
>>
>>
>> "dcompton" <dcompton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:A1384096-7547-42B2-BEF0-BF17423A72F7@xxxxxxxxxxxxxxxx
>> >I am having the same issue and the original post. I have tried adding
>> >the
>> > setting at the OU level which is below the domain level, so that policy
>> > should be applied. However, it seems that this setting is a user
>> > setting.
>> > The users are in the user OU which is above the target computer OU. So
>> > they
>> > don't get this policy setting. I have also tried setting the
>> > permissions
>> > to
>> > allow access to only the specific machine accounts and that has no
>> > effect.
>> > It only seems to care about the user portion.
>> >
>> > Anyone have any ideas?
>> >
>> > DC
>> >
>> > "Ken B" wrote:
>> >
>> >> You're right in that the local policy gets applied first. The only
>> >> thing
>> >> is
>> >> later settings in the L, S, D, Ou order 'win'. So your domain policy
>> >> won
>> >> out over the local policy... and the domain wins.
>> >>
>> >> If you had a different policy on the OU, that one would win, provided
>> >> your
>> >> domain policy did not have "No override" or "Enforced" checked off.
>> >>
>> >> Easiest way I would think to get those computers to not apply the
>> >> screensaver policy would be to create a security group, add the
>> >> computers
>> >> to
>> >> that group, and then give that group Deny permission to Read & Apply
>> >> the
>> >> policy on the security tab of the policy itself. This way you can
>> >> add/remove/edit the list at your own whim, and you'll have a listing
>> >> of
>> >> all
>> >> the computers that won't have that policy apply to them.
>> >>
>> >> HTH
>> >>
>> >> Ken
>> >>
>> >> <lee.james@xxxxxxxxxxxxx> wrote in message
>> >> news:1121956401.102170.315600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> >> > We've enabled a mandatory screen saver policy and applied it at the
>> >> > domain level - it works as it's supposed to.
>> >> >
>> >> > There's a handful of machines we don't want this policy to apply to,
>> >> > and we don't want to muck around with GP permissions, or create
>> >> > exception OU's, play with GP deny settings etc.
>> >> >
>> >> > We should just be able to specify a local policy to override (as
>> >> > local
>> >> > is first in order or precedence).
>> >> >
>> >> > However we can't get it to work. Clients are XP SP2.
>> >> >
>> >> > I specify the settings locally, log off and on, tried rebooting as
>> >> > well
>> >> > - but when I check the registry key
>> >> > HKCU\SW\policies\Microsoft\Windows\Control Panel\Desktop it keeps
>> >> > showing the entries from the domain policy.
>> >> >
>> >> > What gives?
>> >> >
>> >>
>> >>
>> >>
>


.

Relevant Pages

  • Re: Loopback policy enabled, seems to cause login script to run tw
    ... you can still use loopback processing mode but move the logon scripts from ... GPO containing it applies to, regardless of which actual GPO it is included ... enables loopback processing appears and where the relevant computer accounts ... Sounds like you have included the setting that runs the Logon Script so high ...
    (microsoft.public.windows.group_policy)
  • Re: Loopback policy enabled, seems to cause login script to run twice
    ... GPO containing it applies to, regardless of which actual GPO it is included ... the description of how Loopback processing works is NOT ... enables loopback processing appears and where the relevant computer accounts ... Sounds like you have included the setting that runs the Logon Script so high ...
    (microsoft.public.windows.group_policy)
  • Re: cant override screen saver policy
    ... Yes, I figured out that using loopback processing was the answer (Ok, I ... > Settings in the User Configuration part of a GPO always apply to User ... > users log on to specific computers, then enable Loopback processing in a GPO ...
    (microsoft.public.win2000.group_policy)
  • Re: Which Settings MUST be assigned to a User?
    ... specifically applied only to user accounts or computer accounts. ... HKEY_LOCAL_MASHINE values and user configuration modiefies the ... the settings in the User Configuration part ... GPO, with User Configuration settings in it, is applied. ...
    (microsoft.public.windows.group_policy)
  • Re: Proxy Settings
    ... A GPO is logically made up of two sections - Computer Configuration and User ... Settings under User Configuration affect user accounts the ...
    (microsoft.public.win2000.active_directory)