Now the question beckons, is loopback processing something that should be applied on a regular basis with 100 little sub ou's all containing exceptions? No, absolutely not. If you have that situation reconsider your ou structure and placement of Group Policies.
Here is the loopback processing article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287
On May 14, 2004, at 4:46 PM, Creamer, Mark wrote:
<x-tad-bigger>Yep, that would work if the *</x-tad-bigger><x-tad-bigger>users</x-tad-bigger><x-tad-bigger>* were in the OU, but your goal is to isolate the machines from the policy regardless of who the user is. We do this for our Win2K based video-conferencing systems. The execs kept getting annoyed when the monitor went into locked screensaver right in the middle of a video conference. Go figure ;-)</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<mc>
<x-tad-bigger>-----Original Message-----</x-tad-bigger>
<x-tad-bigger>From:</x-tad-bigger><x-tad-bigger> Rimmerman, Russ [mailto:[EMAIL PROTECTED]</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger><x-tad-bigger>Sent:</x-tad-bigger><x-tad-bigger> Friday, May 14, 2004 4:38 PM</x-tad-bigger>
<x-tad-bigger>To:</x-tad-bigger><x-tad-bigger> '[EMAIL PROTECTED]'</x-tad-bigger>
<x-tad-bigger>Subject:</x-tad-bigger><x-tad-bigger> RE: [ActiveDir] GPO troubles</x-tad-bigger>
<x-tad-bigger>Sensitivity:</x-tad-bigger><x-tad-bigger> Private</x-tad-bigger>
<x-tad-bigger>I just thought you could avoid creating an OU mess by using the security permissions (apply gpo, deny gpo) on each GPO properties.</x-tad-bigger>
<x-tad-bigger>From:</x-tad-bigger><x-tad-bigger> [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] </x-tad-bigger><x-tad-bigger>On Behalf Of </x-tad-bigger><x-tad-bigger>Creamer, Mark</x-tad-bigger>
<x-tad-bigger>Sent:</x-tad-bigger><x-tad-bigger> Friday, May 14, 2004 3:20 PM</x-tad-bigger>
<x-tad-bigger>To:</x-tad-bigger><x-tad-bigger> [EMAIL PROTECTED]</x-tad-bigger>
<x-tad-bigger>Subject:</x-tad-bigger><x-tad-bigger> RE: [ActiveDir] GPO troubles</x-tad-bigger>
<x-tad-bigger>Sensitivity:</x-tad-bigger><x-tad-bigger> Private</x-tad-bigger>
<x-tad-bigger>I don't think so - screen savers are configured on the user, and you want to limit by the machine. That's why the Loopback policy, and the reason for segregating the machines in a separate OU. Others please chime in if I'm wrong though...</x-tad-bigger>
<mc>
<x-tad-bigger>-----Original Message-----</x-tad-bigger>
<x-tad-bigger>From:</x-tad-bigger><x-tad-bigger> Rimmerman, Russ [mailto:[EMAIL PROTECTED]</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger><x-tad-bigger>Sent:</x-tad-bigger><x-tad-bigger> Friday, May 14, 2004 4:14 PM</x-tad-bigger>
<x-tad-bigger>To:</x-tad-bigger><x-tad-bigger> '[EMAIL PROTECTED]'</x-tad-bigger>
<x-tad-bigger>Subject:</x-tad-bigger><x-tad-bigger> RE: [ActiveDir] GPO troubles</x-tad-bigger>
<x-tad-bigger>Sensitivity:</x-tad-bigger><x-tad-bigger> Private</x-tad-bigger>
<x-tad-bigger>Is it absolutely necessary to create a whole seperate GPO for these computers? Seems like it will create an administrative nightmare. Can't you just deny access to the default domain GPO and it won't apply the screen saver settings?</x-tad-bigger>
<x-tad-bigger>From:</x-tad-bigger><x-tad-bigger> [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] </x-tad-bigger><x-tad-bigger>On Behalf Of </x-tad-bigger><x-tad-bigger>Creamer, Mark</x-tad-bigger>
<x-tad-bigger>Sent:</x-tad-bigger><x-tad-bigger> Friday, May 14, 2004 3:04 PM</x-tad-bigger>
<x-tad-bigger>To:</x-tad-bigger><x-tad-bigger> [EMAIL PROTECTED]</x-tad-bigger>
<x-tad-bigger>Subject:</x-tad-bigger><x-tad-bigger> RE: [ActiveDir] GPO troubles</x-tad-bigger>
<x-tad-bigger>Sensitivity:</x-tad-bigger><x-tad-bigger> Private</x-tad-bigger>
<x-tad-bigger>Russ, I believe what you need to do is set up an OU and put those machines in it. Then set the group policy Computer Configuration setting User Group Policy Loopback processing mode. Set the Screen Saver policy accordingly in the User Configuration section.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>Then users who log in to those machines should no longer be subject to the policy that enforces the screen saver</x-tad-bigger>
<mc>
<x-tad-bigger>-----Original Message-----</x-tad-bigger>
<x-tad-bigger>From:</x-tad-bigger><x-tad-bigger> Rimmerman, Russ [mailto:[EMAIL PROTECTED]</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger><x-tad-bigger>Sent:</x-tad-bigger><x-tad-bigger> Friday, May 14, 2004 3:57 PM</x-tad-bigger>
<x-tad-bigger>To:</x-tad-bigger><x-tad-bigger> '[EMAIL PROTECTED]'</x-tad-bigger>
<x-tad-bigger>Subject:</x-tad-bigger><x-tad-bigger> [ActiveDir] GPO troubles</x-tad-bigger>
<x-tad-bigger>Sensitivity:</x-tad-bigger><x-tad-bigger> Private</x-tad-bigger>
<x-tad-bigger>We have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines.</x-tad-bigger>
<x-tad-bigger>So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled". </x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal? </x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it.</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<x-tad-bigger>Thanks</x-tad-bigger>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
