none
How to exclude computers from a group policy that locks computers after a specific amount of minutes.

    Question

  • I have created a group policy that locks computers after a specific amount of minutes.  This works fine. I also have an exclusion list (security group) for users that need to be excluded from this policy.  My problem is that I cannot add computers to this security group so that anyone that logs in to that particular computer gets excluded from the policy.  is this possible?

    thanks


    • Edited by Noe.O Wednesday, March 02, 2016 12:57 AM
    Wednesday, March 02, 2016 12:57 AM

Answers

All replies

  • check out link below:

    Add a computer account to a group
    https://technet.microsoft.com/en-us/library/cc780108(v=ws.10).aspx


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, March 02, 2016 1:28 AM
  • looks like I did not ask the right question. The computer is added to the security group which is added to the GPO.  In the delegation - the security group is set to DENY on Apply Group Policy.  this works fine for users but not for the computer in question. how can I setup the GPO to exclude computers from running the policy?
    Wednesday, March 02, 2016 4:06 AM
  • Hi Noe,

    To clarify, you have configured User Configuration in GPO link to User OU, but you do not want the/these setting/settings to apply when users, who belong to the User OU, log onto particular computers.

    If yes, to achieve your goal, you could create an OU and add these particular computers to the OU. Then you create a GPO link to the computer OU and enable loopback processing.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 02, 2016 7:19 AM
    Moderator
  • check out link below:

    https://blog.brankovucinec.com/2015/07/17/how-to-exclude-a-group-policy-object-gpo-to-users-or-a-security-group/


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, March 02, 2016 9:09 AM
  • > My problem is that I cannot add computers to this security group so that
    > anyone that logs in to that particular computer gets excluded from the
    > policy.  is this possible?
     
    Yes if you implement some GPP Registry items with item level targeting.
    Check my blog post on how to do simliar things with the screen saver -
    it works identical for your requirement:
     
     
    BTW: I would NOT recommend to use loopback - most times, loopback
    introduces more problems than it solves :)
     
    Wednesday, March 02, 2016 11:42 AM
  • had both user and computer in same OU and tested GPO with loopback enabled. did not work.

    will create a WMI Query "root\CIMv2 = Select * from win32_computersystem where name="client-1" = False" but want to know if my settings are correct or if there is anything else I need to do to exclude computers from this policy

    Thursday, March 03, 2016 12:22 AM
  • Hi Noe,

    Would you tell us which mode you have selected?

    Best Regards.

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 07, 2016 7:22 AM
    Moderator
  • Using GPO with loopback did not work.  I also tried using WMI filtering but couldn't get it work.  With WMI filtering, it did not like the "= FALSE" statement.  I think I am missing something.  Any help with this, I would appreciate it.  thanks
    Sunday, March 13, 2016 11:51 PM
  • > will create a WMI Query "root\CIMv2 = Select * from win32_computersystem
    > where name="client-1" = False"
     
    You cannot invert WMI filters:
     
    Monday, March 14, 2016 10:54 AM
  • Did you read the Screen saver post I gave above? Use GPP Registry with
    Item Level Targeting :)
     
    Monday, March 14, 2016 10:54 AM
  • Hi Noe,

    You can use Group Policy Loopback ( Replace ) for this issues it seems , please try this and check it out .

    Monday, March 14, 2016 11:54 AM
  • I have added the WMI Filtering and used query "root\CIMv2 = Select * from win32_computersystem where name = "client-1".

    also added in the GPO, under the delegation tab, a security group which has computer "client-1" as a member of this group.  the permission set on this security group is Read = "allow" and Apply group policy = "deny".

    this configuration did not work.  I don't have Loopback enabled as I have this timeout policy set at root OU.  Don't want to affect other policies.  Question - can I just create a loopback policy and just target the computer OU?  would this work?

    Monday, March 14, 2016 11:48 PM
  • Hi Noe,

    You can't exclude like that it seems if you have applied it to default domain policy.My opinion is to create a separate GPO for account lockout and give policy exception for those specific machines.    

    Tuesday, March 15, 2016 7:04 AM
  • > also added in the GPO, under the delegation tab, a security group which
    > has computer "client-1" as a member of this group.  the permission set
    > on this security group is Read = "allow" and Apply group policy = "deny".
     
    There's absolutely no sense in denying a computer "apply" for user
    settings - the computer will never try to apply user settings.
     
    Tuesday, March 15, 2016 8:48 AM
  • Martin,

    What I don't want is apply the timeout (screensaver) policy to be applied on certain computers no matter who logs in to those computers.  the policy needs to be applied to all users except on those computers. 

    when I applied the wmi filter as stated above, it removed the policy for everyone.  Could not do further testing.  As Ravi said, might have to apply it to sub OUs.  But the problem will still be the I cannot exclude computers from this policy.  It only works for Users.

    Tuesday, March 15, 2016 7:43 PM
  • > computers.  the policy needs to be applied to all users except on those
    > computers.
     
    Yes - and what's the issue? ILT for security group - "coomputer is NOT a
    member"
     
    > when I applied the wmi filter as stated above, it removed the policy for
     
    You should not do this with a wmi filter - that will not work.
     
    Read again (did you even read it?) what I posted here
    and here
     
     
    Wednesday, March 16, 2016 10:41 AM