none
Loopback Processing - Computer Account Filtering

    Question

  • Hello,

    In my lab I have a GPO called "Enforce Screensaver" linked to my "Contoso Users" OU that enforces the screensaver after 10 minutes of inactivity. 

    I have a "Contoso Workstations" OU that contains all of my user workstations. I want to target a handful of these workstations and prevent them from inheriting the "Enforce Screensaver" GPO regardless of who logs in.

    At the moment I have created a security group called "No Screensaver". This group contains the workstations I want to block the screensaver on. I then have a GPO called "Disable Screensaver". That GPO is linked to the "Contoso Workstations" OU and has a security filter targeting the "No Screensaver" security group. The Authenticated Users group has been removed from the filter. The GPO contains 2 settings:

    • Computer Configuration - Enable User Group Policy loopback processing mode : Merge
    • User Configuration - Enable screen saver : Disabled

    Currently this does not work. The gpresults shows the computer is in the group and shows the GPO has been applied on the computer configuration side.

    Is this not a supported configuration?


    Tuesday, November 10, 2015 5:19 PM

Answers

  •  That GPO is linked to the "Contoso Workstations" OU and has a security filter targeting the "No Screensaver" security group. The Authenticated Users group has been removed from the filter. The GPO contains 2 settings:


    Security filtering the GPO on the "No Screensaver" computer security group is of course correct, but you must also add a relevant user group to the security filter, because it is a User Configuration setting that is distributed.  N.B. it is also correct to remove "Authenticated Users" because that group contains both users and computers.

    The least restrictive user group would be "Domain Users".


    Rolf Lidvall, Swedish Radio (Ltd)


    Wednesday, November 11, 2015 8:19 AM