Re: Loopback processing not working

Well you could just deny the right to apply the policy for the screen saver
to those machines you don't want it to apply against. The easiest way would
be to create a security group, place the computers in this group and then
deny this policy.

There is no need for a second policy, what is probably happening is the
first one is higher in priority so it never attempts to apply the second
one.

From
http://technet2.microsoft.com/windowsserver/en/library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx?mfr=true
"At the level of each organizational unit in the Active Directory hierarchy,
one, many, or no GPOs can be linked. If several GPOs are linked to an
organizational unit, their processing is in the order that is specified by
the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed
last, and therefore has the highest precedence."


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ToChuck123" <ToChuck123@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:30456165-3CD0-41D9-8BE3-3B5A723409B2@xxxxxxxxxxxxxxxx
Hi all. I tried replying to a similar thread, but that doesn't seem to
have
worked so I'm trying to post a new thread.

Here is the situation (it is almost identical to the situation described
by
scott7).

Our workplace is increasing its security policies and we want everyone to
have their computer lockout after 15 min of inactivity (going to the
screensaver). However, there are some lab computers that should not
follow
this rule as there are safety concerns.

I understand that loopback processing within a policy is the route to go
for
this situation, and I have read up on it and tried to implement it.
However,
I have not had any success with it.

Here is what I have done:

- I have a screensaver policy that is filtered to 3 security groups which
cover just about everyone in our active directory. Here is a list of
settings:

Administrative Templates
Control Panel/Display
Policy Setting
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name scrnsave.scr

Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver seconds:
900


This policy works (much to the chagrin of most of our employees).

- I have a second policy that I'm using to "turn off" the screensaver
policy
via loopback processing. As I am testing, I'm not disabling the
screensaver,
but rather specifing a different one so that the changes are apparent.
Once
I get it working properly, I'll change it so that the screensaver is
disabled. The policy is applied to my computer (not a group, but when I
get
it working I'll apply it to a group of computers we want to disable the
screensaver). Here are the settings for that policy:


Computer Configuration (Enabled)

Administrative Templates
System/Group Policyhide
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Merge

User Configuration (Enabled)
Administrative Templates
Control Panel/Display
Policy Setting
Password protect the screen saver Disabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name ssstars.scr

Policy Setting
Screen Saver timeout Disabled


When I use the modeling wizard, using my AD username, my computername, and
enabling loopback processing, the simulation reports that both policies
are
being applied. However, when I log into my computer (using my AD
username)
the "turn off" policy is not overriding the "turn on" policy (i.e. I don't
get the stars screensaver). If I change the security filtering to my AD
username (rather than my computername), I get the stars screensaver. But,
of
course, this is not what I need to happen.

From what I've read from Microsoft and the various forums on the net, the
loopback processing should be pretty straightforward. I have no idea what
I'm missing here. I've had one of our other IT network people work with
me
on this and neither of us see what we are doing wrong.

Any help would be most appreciated.

Thanks in advance
Chuck



.

Relevant Pages

  • Re: Screensaver lockout in Group Policy
    ... What exact policy setting are you working with? ... off of the top of my head I think you are saying you 'lock the workstation' ... In policy you have "Hide Screen Saver", which hides the screen saver tab ...
    (microsoft.public.win2000.group_policy)
  • Re: Reverting GPO settings back to Default
    ... Well, keep in mind that Screen Saver policy is per-user, so if the user account isn't moving to a different OU as well, then nothing is going to change for that user, regardless of where their laptop computer account resides. ... Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at http://www.sdmsoftware.com/products.php ...
    (microsoft.public.windows.group_policy)
  • RE: ScreenSaver timeout problem via GPO
    ... Number of Seconds to wait to enable the Screen Saver = Enabled at 0 Seconds ... give you some facts about these laptops so you know the situation. ... This policy is not enforced so if a lower OU blocks inheritance it ... loopback processing and it would still run if in the correct order. ...
    (microsoft.public.windows.server.active_directory)
  • RE: ScreenSaver timeout problem via GPO
    ... Loopback processing seems like that is what it is ... I have a screensaver policy that is filtered by security groups. ... Password protect the screen saver Enabled ... Policy Setting ...
    (microsoft.public.windows.server.active_directory)
  • RE: ScreenSaver timeout problem via GPO
    ... Loopback processing seems like that is what it is ... I have a screensaver policy that is filtered by security groups. ... Password protect the screen saver Enabled ... Screen Saver timeout Disabled ...
    (microsoft.public.windows.server.active_directory)