Group Policy Problem

[Jen]

I have set up a group policy that sets a default screen save and
removed the screen saver tab if looking at display properies. This
policy is is based on username.

At one time, ServerA was logged in with a username that the policy
applies to and the policy took affect.

We didn't actually want this policy to apply to this server so we
changed the logon account to an account that is outside of the OU with
the screen saver policy.

When running gpresults, the screen saver policy is NOT listed a policy
that is applied to this machine. However, the computer locks out every
30 minutes and does not display the screen saver tab as per the policy.
I have tried runing gpupdate and that has not helped.

Is there something else I can do to disable this policy on this
machine?

thanks,
Jen

 

[ptwilliams]

The screensaver policies are user specific. Logon as a user than can change
the screensaver and make the necessary changes.

 

[Jen]

Tried that already. The account that the server logs in with is
'Administrator'. It should be able to do anything. I found the
registry key that allows me to see the screen saver tab but the options
are greyed out and cannot be changed.

I tried logging in as myself and the group policy applied as I
expected. gpresults also showed the correct policies.

When I logged off and then back on as administrator, I still couldn't
change the screen saver settings. The administrator account is in an
OU with no policies appied.

Jen

 

[Jen]

OH yeah,

I have also tried disabling the policy and that hasn't worked either.

Jen

 

[ptwilliams]

I guess you'll have to change the registry settings that control screensaver
timeout. I can't remember these off the top of my head, as it's been a long
time since I've played with that kind of thing. I'll have a look through
some of my old notes and see if I can find it for you.

When I logged off and then back on as administrator, I still couldn't
change the screen saver settings. The administrator account is in an OU
with no policies applied.

That's worrying. Are you saying that the screensaver tab is still hidden?
Sounds like a case of registry tattooing, although I wouldn't have thought
such a simple .adm would do this. Can you clarify if this is what you mean?
Or do you mean that changes to the timeout by the administrator are not
applied to the system when in a non-logged on state?

 

[Jen]

What I mean is that when I log in as 'administrator' the screen saver
policy seems to be applied. I cannot change see the screen saver tab
and the screen saver tab goes into affect after the 30 minute timeout
that was applied.

I did find the registry setting that allows me to see the screen saver
tab but I cannot edit any of the values. I'll see if I can find the
registry settings for the rest of the fields.

thanks.

 

[Jen]

Well,

I found the registry settings and modified them to disable the screen
saver. I did this while logged in as administrator.

I can made the changes but they do not stick. Next time I look at the
same registry key, the values go back to what they were.

I'm starting to think I'll need to rebuilt the server.

 

[Guest]

Hey Jen,
Have you tried using a loopback policy? Microsoft does not recommend using
alot of these, but we've found that the server OU is a perfect place for
them. Typically we don't want user policies appling on these boxes.
Basically, the loopback (with replace) tells it to ignore any user settings
from the user's policy and use the user settings from the machine's policy
(specifically the one with the loopback setting).

 

[ptwilliams]

Good point. You could try applying the settings to the computer via
Loopback.

To summarise what daluebb stated, loopback processing reads the user policy
and applies it as computer policy. There are two modes to this merge and
replace --the option (as a GPO setting) will explain more.