none
Policy not applied to OU in AD RRS feed

  • General discussion

  • Hello,

    I have organized my computers in AD into OUs. I have one OU called PC_CAMs which house only on computer which I want to apply a policy to so the screen saver time out is set to 8 hours and not like the rest of the domain where the timeout is set to one hour.

    I have created a policy called PC CAM LOCK SCREEN and applied it to the PC_CAMs OU. However when I run the rsop on the PC I don't see that this policy is applied and the screen still times out after one hour and not after 8. What am I missing?


    Thank you. Karel Grulich, MCSE, SBS

    Friday, April 19, 2019 3:25 PM

All replies

  • Could you please run # gpresult /r from the target machine and post the result.

    also check the GPO guid fro details and look for the same in sysvol folder, there will be a registry setting files which content can be viewed from notepad, you can paste the same to further troubleshooting.

    Saturday, April 20, 2019 9:02 PM
  • Hi,

    Thank you for posting here.

    Have you run gpresult to check if this policy is applied or not?

    Please navigate to cmd, run gpresult /r and share the result with us.

    Note: hide private information.

    Do you mean that this is another screen time saver policy which is applied to all machine and is set to 1 hour? 

    Is that one linked to OU or Domain? Is it enforced?

    More detailed information is needed to narrow down the issue.

    Appreciate your patience in advance.

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, April 22, 2019 7:30 AM
    Moderator
  • Hello and thank you for the answers.

    1. I'm using the default domain policy for all policies except the one I have created for the one CAM PC where I want that the screen saver will not timeout for 8 hours. Basically I want that PC to stay on for 8 hours and display the cameras.

    2. The CAM policy as you can see from the picture I originally posted is applied only to the on OU that house only that one specific PC. The timeout for the screen saver is set to 8 hours through that policy. However the policy is not being applied to the PC for some reason.

    3. The policy is not enforced as when I change it to enforce it doesn't make any difference and the default policy shows that it is not enforced either but shows as being applied. Please see attached screen shot from gpresult4. The default domain policy is applied to the domain

    I hope this helps for better understanding. Basically all I really want to achieve is that the CAM PC will stay on for 8 hours and display the cameras without the screen saver coming on and the user having to log on again after only one hour to display the cameras.


    Thank you. Karel Grulich, MCSE, SBS

    Monday, April 22, 2019 5:37 PM
  • Hi,

    Really appreciate your re-clarification.

    Sorry but I am still confused about two points.

    1. If there is no other screen saver time out policy, why all machines is set to 1 hour? Based on my knowledge, the default screen saver timeout is 15 minutes. Were they manually set to 1 hour without GPO(which is reasonable according to gpresult)?

    2. As I know, screen saver timeout policy is under user configuration. Based on my knowledge and test, user policy can not be applied to specific computer(s) directly. Loopback policy is needed as well.

    For your reference:https://support.microsoft.com/en-sg/help/231287/loopback-processing-of-group-policy

    Hope that my explanation is clear.

    Best regards,

    Lavilian



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, April 23, 2019 8:15 AM
    Moderator
  • The one hour timeout is set through the default domain policy to 3600 seconds (1hour)

    I'm not sure if the loopback policy applies in this case.

    As I mentioned all I want to do is apply 8 hour timeout to one OU which houses one PC only. The user that logs onto that PC is a local user on that PC but the machine is part of the domain.

    Any chance you can provide the steps to achieve this?


    Thank you. Karel Grulich, MCSE, SBS

    Tuesday, April 23, 2019 5:46 PM
  • Hi,

    Thank you for your reply.

    1. Since the original screen saver timeout policy is linked to default domain policy GPO, it is applied to all users in the domain. Thus any user logon to a machine, the time is 1 hour and no need to configure loopback policy.

    2. Since OU is prior to domain in terms of GPO, the new screen saver timeout policy should override unless the original one is enforced or the new one is blocked inheritance.

    As I understand, you want to apply a domain user policy to a domain computer, it is available by configuring both the screen saver timeout policy and loopback process policy. But if you want a local user logon the computer to have 8 hours setting, it is impossible. You should know that although loopback process policy is configured, the setting will be 8 hours only when domain users logon to the computer

    To achieve you complex requirement, you can only exclude the specific computer from the original screen saver timeout policy and configure the new one in local group policy editor.

    Best regards,

    Lavilian




    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, April 24, 2019 10:02 AM
    Moderator
  • So from what I read is that I have two options:

    1. Exclude the PC from the domain policy and apply local policy. How do I exclude the PC from the policy?

    2. Use a domain account to logon. Would I then still create the loopback policy or just apply the policy as is? When I login with my domain account I still don't see the policy I created for the 8 hour timeout being applied to the OU? What is missing?


    Thank you. Karel Grulich, MCSE, SBS


    • Edited by karelg719 Wednesday, April 24, 2019 2:48 PM
    Wednesday, April 24, 2019 2:34 PM
  • Hi,

    So sorry that I've say something wrong.

    Based on my test, the domain user policy will not override the local user policy since there is no conflict.

    Are you aimed at making the timeout 8 hours only when local users logon to that machine?

    If yes, you can simply configure this policy in local group policy editor as captured:

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 26, 2019 9:15 AM
    Moderator
  • OK I'm giving it a shot and let you know. Is there any command I can use on the local machine when a local user is logged on that would show me what screen saver time out is actually applied after modifying the local policy?

    Thank you. Karel Grulich, MCSE, SBS

    Friday, April 26, 2019 5:01 PM
  • Even though the local policy has been applied and is clearly applied to local PC, when the local user is logged on, the timeout is still after one hour. So I'm guessing somehow the domain policy takes precedence?

    Thank you. Karel Grulich, MCSE, SBS

    Saturday, April 27, 2019 1:51 AM
  • Hi,

    Sorry for delay.

    Based on my knowledge, there will be no overriding situation. Would you please navigate to the GPO of screen saver timeout (default domain policy GPO) to check:

    1. If there is also a loopback process policy there linked to that GPO?

    2. If that screen saver timeout policy is under computer configuration or user configuration?

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 30, 2019 10:04 AM
    Moderator
  • 1. I don't see any loopback policy linked to the default domain policy

    2. The screen saver timeout is under user configuration

    I just don't understand why I cannot create a domain policy and apply it to the one OU and set it's priority higher than the domain policy on that specific OU to make it work?


    Thank you. Karel Grulich, MCSE, SBS

    Wednesday, May 1, 2019 5:01 PM
  • Hi,

    Thank you for your reply.

    As I explained, user policy cannot be applied to specific computers except that loopback process policy is also linked to that GPO.& Domain user policy cannot be applied to local user.

    Yes, your understanding is correct that OU is prior to domain in terms of GPO. However, your requirement is unavailable taking your scenario into account.

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 2, 2019 8:08 AM
    Moderator
  • I don't understand. Even if I logon as a domain user the policy is not applied. How do I achieve  my goal of having this one PC set to 8 hours timeout?

    Thank you. Karel Grulich, MCSE, SBS

    Thursday, May 2, 2019 3:57 PM
  • Hi,

    Sorry that my clarification is unclear.

    I found an official article which illustrates loopback process policy.

    It might shed some light:

    https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 3, 2019 9:24 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided above was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 6, 2019 9:08 AM
    Moderator
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 8, 2019 2:57 AM
    Moderator
  • What I don't understand that even though local policy is always processed as first and I have set the local policy to 8 hours timeout, the domain policy seems to still taking precedence and thus I only have 1 hour timeout on that specific PC. I don't think I need to use loopback policy based on how I understand it. Local policy should always be applied first unless something else is "blocking" it from being applied first.

    Any ideas are appreciated.


    Thank you. Karel Grulich, MCSE, SBS

    Monday, May 13, 2019 11:58 PM
  • Hi,

    Based on my knowledge, the order or applying policy is OU>domain>site>local.

    If it isn't urgent, would you mind my changing this thread from question to general discussion to wait for other community members who might be of different opinions discuss this?

     

    If it is urgent, it is suggested to submit a case to Microsoft for more professional technical support.

     

    The following is a link in the case of submission:

    https://support.microsoft.com/en-us/gp/contactus81?forceorigin=esmc&Audience=Commercial&wa=wsignin1.0

     

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, May 15, 2019 9:54 AM
    Moderator
  • The link you sent is a paid option. Do you mean we can change this to a general discussion threat? How?

    Thank you. Karel Grulich, MCSE, SBS

    Wednesday, May 22, 2019 2:50 PM
  • Hi,

    Appreciate your understanding.

    I've changed it into general discussion.

    Look forward to helpful discussions from other community members.

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 23, 2019 3:05 AM
    Moderator