Re: can't override screen saver policy
- From: lee.james@xxxxxxxxxxxxx
- Date: 28 Jul 2005 07:56:51 -0700
John,
Create an OU, create a Group Policy for that OU....set loopback
processing (Computer Configuration\Adminstrative Templates\System\Group
Policy - User Group Policy loopback processing mode - Enable it, select
Replace
Then go into the User config container and set the options you want
(eg. Hide Control Panel).
Save the Group Policy you created.
Move the systems you want Loopback processing enabled into this new OU
and either wait for things to get updated or force using either secedit
or GPUpdate.
Now when any user logs into a system that's in that OU they will have
the same settings applied.
That will be $500 :)
J.
John Williams wrote:
> What instructions did Microsoft give you to follow? Can you share with
> everyone on what you did you resolve this issue. I am facing the same issue
> and any help would be GREATLY appreciated.
>
> Thanks!
>
>
> "lee.james@xxxxxxxxxxxxx" wrote:
>
> > Hi Bruce,
> >
> > Yes, I figured out that using loopback processing was the answer (Ok, I
> > ended up calling MS support). I created a seperate OU that had loopback
> > processing applied and put the particular systems in the OU. That now
> > works fine.
> >
> > However, what I can't understand and MS can't seem to explain, is why I
> > can't enable loopback processing on the local policy of the problem
> > systems instead of having to do it at the OU level?
> >
> > MS keeps saying the order or precedence is the reason, but as I
> > understand it, the local gets 'read' first, tells that it's using
> > loopback processing - which should then tell it to ignore the user
> > settings at the site level, domain level, ou level etc.
> >
> > J.
> >
> > Bruce Sanderson wrote:
> > > Settings in the User Configuration part of a GPO always apply to User
> > > Accounts, not Computer Accounts, so any User Configuration settings you want
> > > to apply must be in a GPO that applies to the User's Account, not the
> > > Computer's Account.
> > >
> > > If you acutally want some User Configuration settings applied ONLY when
> > > users log on to specific computers, then enable Loopback processing in a GPO
> > > that is applied to the OU containing those Computer Accounts and put the
> > > User Configuration settings into a GPO that applies to that OU. See
> > > http://support.microsoft.com/kb/231287/. Not that the User Configuration
> > > part of a GPO processed by the Loopback feature are still applied to User
> > > Accounts, but only when a (any) user logs on at the computers that GPO
> > > applies to. Loopback processing does not actaully convert User
> > > Configuration settings to Computer Configuration settings.
> > >
> > > The best way (IMHO) is to establish an OU hierarchy/structure that reflects
> > > how you want to manage things and how you want to apply GPOs. One of the
> > > major features of AD is the ability to nest OUs and to change the OU
> > > structure easily. Settings in GPOs applied at the lower levels in the
> > > hierarchy (e.g. NeedScreenSaver in the example below) will take precedence
> > > over corresponding settings applied higher in the heirarchy. Take advantage
> > > of this feature to make your life easier. In particular, have seperate OU
> > > hierarchies for User and Computer Accounts (as opposed to having the
> > > computer accounts in an OU nested inside the Users OU).
> > >
> > > E.g.
> > > Domain
> > > Computers - apply GPO that is to be applied to all computers here
> > > NeedScreenSaver - apply GPO with Loopback and Screen Saver settings
> > > here
> > > Users - apply GPO that is to be applied to all users here
> > > SpecialUsers - apply GPO that has settings specific to only some
> > > (special) users
> > > as opposed to
> > > Domain
> > > Computers
> > > Users
> > >
> > > --
> > > Bruce Sanderson MVP Printing
> > > http://members.shaw.ca/bsanders
> > >
> > > It is perfectly useless to know the right answer to the wrong question.
> > >
> > >
> > >
> > > "dcompton" <dcompton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:A1384096-7547-42B2-BEF0-BF17423A72F7@xxxxxxxxxxxxxxxx
> > > >I am having the same issue and the original post. I have tried adding the
> > > > setting at the OU level which is below the domain level, so that policy
> > > > should be applied. However, it seems that this setting is a user setting.
> > > > The users are in the user OU which is above the target computer OU. So
> > > > they
> > > > don't get this policy setting. I have also tried setting the permissions
> > > > to
> > > > allow access to only the specific machine accounts and that has no effect.
> > > > It only seems to care about the user portion.
> > > >
> > > > Anyone have any ideas?
> > > >
> > > > DC
> > > >
> > > > "Ken B" wrote:
> > > >
> > > >> You're right in that the local policy gets applied first. The only thing
> > > >> is
> > > >> later settings in the L, S, D, Ou order 'win'. So your domain policy won
> > > >> out over the local policy... and the domain wins.
> > > >>
> > > >> If you had a different policy on the OU, that one would win, provided
> > > >> your
> > > >> domain policy did not have "No override" or "Enforced" checked off.
> > > >>
> > > >> Easiest way I would think to get those computers to not apply the
> > > >> screensaver policy would be to create a security group, add the computers
> > > >> to
> > > >> that group, and then give that group Deny permission to Read & Apply the
> > > >> policy on the security tab of the policy itself. This way you can
> > > >> add/remove/edit the list at your own whim, and you'll have a listing of
> > > >> all
> > > >> the computers that won't have that policy apply to them.
> > > >>
> > > >> HTH
> > > >>
> > > >> Ken
> > > >>
> > > >> <lee.james@xxxxxxxxxxxxx> wrote in message
> > > >> news:1121956401.102170.315600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > > >> > We've enabled a mandatory screen saver policy and applied it at the
> > > >> > domain level - it works as it's supposed to.
> > > >> >
> > > >> > There's a handful of machines we don't want this policy to apply to,
> > > >> > and we don't want to muck around with GP permissions, or create
> > > >> > exception OU's, play with GP deny settings etc.
> > > >> >
> > > >> > We should just be able to specify a local policy to override (as local
> > > >> > is first in order or precedence).
> > > >> >
> > > >> > However we can't get it to work. Clients are XP SP2.
> > > >> >
> > > >> > I specify the settings locally, log off and on, tried rebooting as well
> > > >> > - but when I check the registry key
> > > >> > HKCU\SW\policies\Microsoft\Windows\Control Panel\Desktop it keeps
> > > >> > showing the entries from the domain policy.
> > > >> >
> > > >> > What gives?
> > > >> >
> > > >>
> > > >>
> > > >>
> >
> >
.
- References:
- can't override screen saver policy
- From: lee . james
- Re: can't override screen saver policy
- From: Ken B
- Re: can't override screen saver policy
- From: dcompton
- Re: can't override screen saver policy
- From: Bruce Sanderson
- Re: can't override screen saver policy
- From: lee . james
- Re: can't override screen saver policy
- From: John Williams
- can't override screen saver policy
- Prev by Date: Re: can't override screen saver policy
- Next by Date: [b]Limit access for a specific local user on a local comuter
- Previous by thread: Re: can't override screen saver policy
- Next by thread: Re: can't override screen saver policy
- Index(es):
Relevant Pages
|
Loading
