Re: can't override screen saver policy
- From: "John Williams" <JohnWilliams@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 27 Jul 2005 23:45:02 -0700
Can you go into more detail on what you mean?
I am trying to have certain PC's with screen saver timeouts different from
the rest in the office (60Min vs. 10 min.). I have been playing around with
the GPO's trying to make it work for days.
I am looking for detailed instructions on how to implement what is being
discussed in here. Any help would be GREATLY appreciated.
Thanks
"Bruce Sanderson" wrote:
> Settings in the User Configuration part of a GPO always apply to User
> Accounts, not Computer Accounts, so any User Configuration settings you want
> to apply must be in a GPO that applies to the User's Account, not the
> Computer's Account.
>
> If you acutally want some User Configuration settings applied ONLY when
> users log on to specific computers, then enable Loopback processing in a GPO
> that is applied to the OU containing those Computer Accounts and put the
> User Configuration settings into a GPO that applies to that OU. See
> http://support.microsoft.com/kb/231287/. Not that the User Configuration
> part of a GPO processed by the Loopback feature are still applied to User
> Accounts, but only when a (any) user logs on at the computers that GPO
> applies to. Loopback processing does not actaully convert User
> Configuration settings to Computer Configuration settings.
>
> The best way (IMHO) is to establish an OU hierarchy/structure that reflects
> how you want to manage things and how you want to apply GPOs. One of the
> major features of AD is the ability to nest OUs and to change the OU
> structure easily. Settings in GPOs applied at the lower levels in the
> hierarchy (e.g. NeedScreenSaver in the example below) will take precedence
> over corresponding settings applied higher in the heirarchy. Take advantage
> of this feature to make your life easier. In particular, have seperate OU
> hierarchies for User and Computer Accounts (as opposed to having the
> computer accounts in an OU nested inside the Users OU).
>
> E.g.
> Domain
> Computers - apply GPO that is to be applied to all computers here
> NeedScreenSaver - apply GPO with Loopback and Screen Saver settings
> here
> Users - apply GPO that is to be applied to all users here
> SpecialUsers - apply GPO that has settings specific to only some
> (special) users
> as opposed to
> Domain
> Computers
> Users
>
> --
> Bruce Sanderson MVP Printing
> http://members.shaw.ca/bsanders
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
>
> "dcompton" <dcompton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:A1384096-7547-42B2-BEF0-BF17423A72F7@xxxxxxxxxxxxxxxx
> >I am having the same issue and the original post. I have tried adding the
> > setting at the OU level which is below the domain level, so that policy
> > should be applied. However, it seems that this setting is a user setting.
> > The users are in the user OU which is above the target computer OU. So
> > they
> > don't get this policy setting. I have also tried setting the permissions
> > to
> > allow access to only the specific machine accounts and that has no effect.
> > It only seems to care about the user portion.
> >
> > Anyone have any ideas?
> >
> > DC
> >
> > "Ken B" wrote:
> >
> >> You're right in that the local policy gets applied first. The only thing
> >> is
> >> later settings in the L, S, D, Ou order 'win'. So your domain policy won
> >> out over the local policy... and the domain wins.
> >>
> >> If you had a different policy on the OU, that one would win, provided
> >> your
> >> domain policy did not have "No override" or "Enforced" checked off.
> >>
> >> Easiest way I would think to get those computers to not apply the
> >> screensaver policy would be to create a security group, add the computers
> >> to
> >> that group, and then give that group Deny permission to Read & Apply the
> >> policy on the security tab of the policy itself. This way you can
> >> add/remove/edit the list at your own whim, and you'll have a listing of
> >> all
> >> the computers that won't have that policy apply to them.
> >>
> >> HTH
> >>
> >> Ken
> >>
> >> <lee.james@xxxxxxxxxxxxx> wrote in message
> >> news:1121956401.102170.315600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >> > We've enabled a mandatory screen saver policy and applied it at the
> >> > domain level - it works as it's supposed to.
> >> >
> >> > There's a handful of machines we don't want this policy to apply to,
> >> > and we don't want to muck around with GP permissions, or create
> >> > exception OU's, play with GP deny settings etc.
> >> >
> >> > We should just be able to specify a local policy to override (as local
> >> > is first in order or precedence).
> >> >
> >> > However we can't get it to work. Clients are XP SP2.
> >> >
> >> > I specify the settings locally, log off and on, tried rebooting as well
> >> > - but when I check the registry key
> >> > HKCU\SW\policies\Microsoft\Windows\Control Panel\Desktop it keeps
> >> > showing the entries from the domain policy.
> >> >
> >> > What gives?
> >> >
> >>
> >>
> >>
>
>
>
.
- References:
- can't override screen saver policy
- From: lee . james
- Re: can't override screen saver policy
- From: Ken B
- Re: can't override screen saver policy
- From: dcompton
- Re: can't override screen saver policy
- From: Bruce Sanderson
- can't override screen saver policy
- Prev by Date: Firewall setting at XP
- Next by Date: Re: can't override screen saver policy
- Previous by thread: Re: can't override screen saver policy
- Next by thread: Re: can't override screen saver policy
- Index(es):
Relevant Pages
|
