Screen Saver GPO 2

[Daveyd123]

I have a screen saver GPO set up to lock all PCs after 15 mins of inactivity. It works well.

Here is my situation. I have a user that logs into multiple PCs with her user account and needs the screen saver GPO to NOT apply only to 1 specific PC she logs into.

The problem is, the screen saver GPO is a User Setting and you cannot deny READ to a specific PC. I can deny the user READ to the GPO and the GPO wont be applied....however it wont be applied to ALL PCs she logs into. I need it not to apply to only 1 of the many PCs she logs into.

Any ideas?

 

[basst]

If you enable group policy loopback processing (in Computer Configuration/Administrative Templates/System/Group Policy/User group policy loopback processing mode), you can then apply user settings to an OU containing computers.

What happens is that any user logging on gets their usual GPO applied, and then the one applied to the OU containing the PC they are logging onto replaces the specified settings (assuming that you've configured loopback processing in replace mode).

 

[tfg13]

Good explanation basst! Just have one thing in your explanation that should be highlighted.

What happens is that any user logging on gets their usual GPO applied, and then the one applied to the OU containing the PC they are logging onto replaces the specified settings (assuming that you've configured loopback processing in replace mode).

In other words, place this PC in it's own OU (easiest solution, and we'd really have to think if it's the only one).

 

[tfg13]

Oh yeah, basst, your star is on it's way!

 

[basst]

Thanks tfg13 for your input.

 

[porkchopexpress]

If it's just one computer then you could also enable loopback processing in the local computer settings which would save you having to create a new OU.





When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.