none
exclude policy with user settings from certain computers

    Question

  • I need to set a screen lockout time for most computers in my domain.  This is a User Config setting.  There is a subset of computers that should not get this setting.  However any user could potentially log into any computer & I want them to get the correct setting for the computer they are logged into.

    ComputerOU – all computers reside here, including those in the ExcludeGroup

    ExcludeGroup – computers that should not get the screen lockout setting

    My plan:

    Create a GPO with the screen lockout setting

    Enable Loopback Processing in Replace mode

    Link the GPO to the ComputerOU

    Scope the GPO to Domain Computers

    Under Security Filtering, DENY the ExcludeGroup

    Before I set all this up, is there an easier way to accomplish this task?

    Thx

    Wednesday, March 23, 2016 7:42 PM

Answers

  • Hi,

    Thanks for your post.

    Regarding your requirement, using Security filtering to apply GPO to particular security group which contains computers you specified is the easiest way. I think your plan is good enough.

    Using Security Filtering to Apply GPOs to Selected Groups

    https://technet.microsoft.com/en-us/library/cc728301(v=ws.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by meetoo2 Monday, March 28, 2016 2:21 PM
    Thursday, March 24, 2016 5:53 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    Regarding your requirement, using Security filtering to apply GPO to particular security group which contains computers you specified is the easiest way. I think your plan is good enough.

    Using Security Filtering to Apply GPOs to Selected Groups

    https://technet.microsoft.com/en-us/library/cc728301(v=ws.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by meetoo2 Monday, March 28, 2016 2:21 PM
    Thursday, March 24, 2016 5:53 AM
    Moderator
  • > Before I set all this up, is there an easier way to accomplish this task?
     
    Yes there is :-)
     
     
    Thursday, March 24, 2016 7:51 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 28, 2016 1:59 AM
    Moderator
  • Yes, thx!
    Monday, March 28, 2016 2:22 PM
  • Actually this is not working.  When I run gpresult, the policy shows as applying to the machine, but the User settings are not listed on the settings tab.
    Monday, March 28, 2016 3:55 PM
  • Hi,

    Would you please help to collect the GPResult report and paste it directly in our forum so that we can make further analysis?

    Thanks for your cooperation.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 29, 2016 7:30 AM
    Moderator