Russ-
I think there is a solution for this. Effectively what
you want to do is remove this Reg value completely when a user logs onto a
particular machine. To do this, you could write a custom .ADM file to add to the
loopback GPO that removes the registry values that this particular policy put in
place. ADM syntax supports a VALUE DELETE tag that lets you delete a value when
the policy is enabled. They syntax would look something like this for the reg
value that controls whether the screen saver is password protected or
not:
CLASS User
CATEGORY "ScreenSaver"
POLICY "Undo Active Policy"
KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"
CATEGORY "ScreenSaver"
POLICY "Undo Active Policy"
KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"
ACTIONLISTON
VALUENAME "ScreenSaverIsSecure" VALUE DELETE
END ACTIONLISTON
END POLICY
END CATEGORY
VALUENAME "ScreenSaverIsSecure" VALUE DELETE
END ACTIONLISTON
END POLICY
END CATEGORY
Let me
know if that doesn't work. I just threw that together
quickly.
Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Saturday, May 15, 2004 5:41 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO troubles
Sensitivity: Private
So
what's the fix? Do I have to send out .reg files that undo the GPO?
That wouldn't be much fun.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Darren Mar-Elia
Sent: Friday, May 14, 2004 5:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO troubles
Sensitivity: PrivateGood question. This stuff gets ugly quick. Just a quick test shows that if I either enable or disable that policy, then its grayed out for the user, preventing them from changing it in either direction. The problem is that the first GPO to set this owns it, until another one comes along with the opposite setting or until the GPO no longer applies to the computer or user. So, you're in a sort of Catch-22 here where you can't manage it the way you want without using loopback, but the loopback policy doesn't "own" the setting, so you can't simply turn it off the way you want. Even if you first set it to disabled in the loopback policy and then tried to set it to Not Configured, it would still be delivered as enabled to the user via the default domain policy.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, May 14, 2004 2:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO troubles
Sensitivity: PrivateSo if we have password protected screensavers enabled, and I want to allow a specific PC to be configured to whatever the currently logged in user wants for a screensaver, do I set it back to "Not configured"? Or do I have to disable it, wait for it to apply, and then set it back to Not Configured? How do I go from enabled back to default?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, May 14, 2004 3:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO troubles
Sensitivity: PrivateRuss-Not Configured essentially means 'do nothing', so to undo an enabled setting, you have to set the downstream GPO to Disabled. In your case, I'm assuming you're controlling the screensaver through User Configuration|Admin Templates. If that's the case, then your deny ACEs need to be on a user group, since its the users that process this policy.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, May 14, 2004 12:57 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] GPO troubles
Sensitivity: PrivateWe have password protected screensavers enabled in our default domain policy, and then at a lower OU level, I have a GPO linked that is set to Screen Savers "Not configured". Basically, we want all users to have password protected screensavers except a select few machines.So, I created a security group called "No Screensaver" and added computer accounts that we don't want screensavers to be enforced on. Then I went into our default domain policy, and added deny read and deny apply gpo to this No Screensaver group. The GPO that IS applied only to the No Screensaver group has all the screen saver settings set to "Not configured" and the Password Protect the Screensaver GPO is "Disabled".Once a GPO is applied to a PC, do you have to "Disable" it to unapply it, or will setting it to "Not configured" put it back to normal?I added my computer to this No Screensaver group, and still my screen saver settings and buttons are greyed out and it will not let me change it.Thanks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
