locked
Help with a (probably) simple GPO/Loopback Policy config RRS feed

  • Question

  • Hey folks,

    getting back into some policy administration, I think need some help wrapping my head around a scenario.

    Computers are in OU "Computers".  Computer GPO is linked to OU, with user policy empty and disabled.  My computer policy locks the computers after 5 minutes of inactivity.

    Users in OU "Users".  User GPO is linked to OU, with computer policy empty and disabled.

    1) I have a computer on the shop floor that needs to be exempt from locking when user "shop" is logged in.

    2) ALL other users that might login to this device SHOULD have the 5 minute screen lock applied.

    Thoughts on the best way to accomplish?

    thanks!

    Friday, January 26, 2018 10:57 PM

All replies

  • Hi,
     
    Am 26.01.2018 um 23:57 schrieb GMPWP01:
    > 2) ALL other users that might login to this device SHOULD have the 5
    > minute screen lock applied.
     
    - create User config "Disable Screensaver" GPO
    - link to Computer OU
    - enable Loopback on Computer OU
    - filter "Disable Screensaver" to apply ONLY to "Shop", let AuthUsers
    with READ permissions on the object. (be aware of MS16-072!)
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Sunday, January 28, 2018 10:34 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 30, 2018 9:10 AM
  • Thanks for the feedback.  I'm close, but not quite home.

    1) Created "Disable Screensaver" GPO, with the following settings: (GPO status "enabled" both on the computer and user configuration sides)

    --Interactive Logon: Machine inactivity limit: 0 Seconds

    --Configure user Group Policy loopback processing mode: Enable, Replace

    --DID NOT disable either Computer or User side of GPO

    2)  Filtered "Disable Screensaver GPO to apply only to "SHOP" user. (made sure authusers had read on delegation tab)

    3) Linked GPO to "Exceptions" OU (where SHOPCOMP computer resides)

    As configured above, when I logon from SHOPCOMP as "Shop", User side of GPO applies successfully (no actual settings), but Computer side gets denied with security filtering as reason.

    If I logon to SHOPCOMP  as "Greg", same results as above.

    If I add computer SHOPCOMP to security filter, logon as "Shop", setting successfully applies.  However, it also applies if I logon to that computer as "Greg" or any other user (bad).

    thoughts?

    thanks,

    gre

    Tuesday, January 30, 2018 10:39 PM
  • Am 30.01.2018 um 23:39 schrieb GMPWP01:
    > --Interactive Logon: Machine inactivity limit: 0 Seconds
     
    THATS(!) a computerconfiguration!
    It will take efect on ALL(!) users logging in.
    If you have a monitoring system or a machine, that should always show
    the desktop, it´s a really good way to prevent screensaver/lockscreen.
    BUT it can not be configured user dependend.
     
    Use this, link it directly to the machine account OU and you are done.
     
    Loopback is only neede if you define USER configuration that should be
    linked to a computer OU.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    GET Privacy and DISABLE Telemetry on Windows 10 - gp-pack PaT
     
    Wednesday, January 31, 2018 7:05 AM
  • 1) I have a computer on the shop floor that needs to be exempt from locking when user "shop" is logged in.
    2) ALL other users that might login to this device SHOULD have the 5 minute screen lock applied.

    http://evilgpo.blogspot.de/2012/03/how-to-save-my-screen.html

    Wednesday, January 31, 2018 12:41 PM
  • Thanks Mark.

    That's unfortunate, because we have people that occasionally login to that device using their own account.  In these cases, I WANT the 5 minute screen saver lock to kick in, because their accounts have more privileges in the environment than the shop floor account.  If that's not possible, I guess I'll just restrict login on that device to the shop floor userid.

    greg

    Thursday, February 1, 2018 2:28 PM