Domain Policy for ScreenSaver Passwords 1

[AbeMeister]

Okay, here is the deal.

I am the network administrator for an agency that is requiring screen savers to be set on ALL machines with varying times according to their location. I wish to administer this by Group Policy. We have High Risk Areas, Medium Risk Areas, and Low Risk Areas.

High Risk Computer = Screensaver Lock after 2 Minutes
Medium Risk Computer = Screensaver Lock after 5 Minutes
Low Risk Computer = Screensaver Lock after 10 Minutes

I thought I could easily set up some OUs and bang out the solution really quick. Unfortunately, the policy that administrates this setting is a USER CONFIGURATION policy. The problem is the Risk Assessments are on the COMPUTERS and not their USERS. Meaning, if I tried to configure it as such (with users), it would make it possible for a "Low Risk (10 minute)" user to operate a "High Risk (2 minute) computer" and violate corporate policy.

They only way I can think of to get by this is to configure the policy locally which isn't really all that fun. I'd much rather be able to do it from the Domain Controller. Does anyone know of a way I can do this?

 

[AlexIT]

Use the GPO to assign a value to a temporary registry key, then use a login script that copies this key value into the user profile?

Alex

 

[qtin]

Look into Loopback Processing on the policies. We have the exact same setup in our network. (You wouldn't work for a hospital system would you???)

Loopback Processing:

-Computer Config
-Admin Templates
-System
-Group Policy

We actually log the users out after different periods of inactivity using winexit.scr

Looking at your post again - Just because you are setting a user policy doesn't mean you have to apply it to user accounts. We have an OU structure for the PC accounts that we apply policies to. Anybody that logs into one of our locked down machines gets the same policy regardless of what OU their user account is in. The only exception to this is our Desktop Team.

 

[AbeMeister]

qtin, i do work for a healthcare organization....*cough*HIPAA*cough*sigh*

Are you working off of a FULL Windows 2003 Domain?

I remember trying to implement "Loopback Processing" and I vaguely recalling needing a Windows 2003 Domain to do it ( i could be wrong ).

I'm working with a Windows 2000 domain at the moment

 

[AbeMeister]

Okay...I'm really getting pissed here.

There are a lot of USER Configuration settings at the domain level that I wish I could make PER-COMPUTER versus PER-USER.

I have a Terminal Server which I want to be FREE from any and all USER settings, yet when I put it into its own OU and give it its own GPO and use "block policy inheritance", IT STILL INHERITS THE DEFAULT DOMAIN USER POLICY. Good Grief!! Why?? --- because I need to have individual users configured.

Granted, I am a neophyte, at best, with the Active Directory stuff....but seriously, I see a setting here that says: "Make Proxy-Settings per-machine (rather than per-user)"

Why the heck couldn't they do this for screensavers and other policies of the like??

:: sigh ::

h e l p!

 

[qtin]

I feel your pain about HIPAA (as everybody else wonders in a state of bliss what we are talking about)

Don't try to do everything in the Default Domain Policy. Make itty bitty ones that do one thing and do them well. We have different policies to install software, lock down clinical machines, redirect start menus ....... you get the picture. I actually can't see our default domain policy - I'm not a Domain Admin. I just have a lot of power for a lowly desktop tech.

I willing to bet I'm wrong, but I didn't think you could block the default policy

You don't need 2003 to use loopback. We used it just fine when we were 2000.

To give you an idea of our PC OU structure:
-Domain
-Workstations
-Hospital 1,2,3
-Nursing
-OR
-Public Areas
-Offices
......
-Hospital 4 (Red headed stepchild)
-Nursing
-OR
.....

Need to lock down a nursing station at hospital 1???
We just apply the our lockdown and nursing redirection policy to the nursing OU. Move the machine's domain account out of the default computers OU and into the Nursing OU. Then anybody that logs into the PC will be locked down and booted out the pc when the screen saver kicks in.

 

[AbeMeister]

qtin, you are my IT savior. As a lowly desktop tech, you really know your stuff. I really appreciate your help. This has opened an entire new realm for me that I thought I understood...but now I REALLY understand. Thanks again.

One leetle question of concern about the the USER -> Admin Template -> Desktop Policies:

Why when I use "Hide and disable all items on the desktop", it kills the Wallpaper too?? Don't you think there should be a way to "Hide" all the icons but leave the wallpaper intact?

Basically what I want to do is set up a policy for computers who will be using Terminal Services. I want the wallpaper to be there, but I want NOTHING to be on the desktop. Any ideas?

Hmmmmm......Custom Desktop!! Nevermind.... *blush*