SBS 2003 GPO setting exclusion

Discussion in 'Windows Small Business Server' started by Jim, Aug 10, 2010.

  1. Jim

    Jim Guest

    We have modified one of the policy setting on the Small Business Server
    Client Computer policy to modify the screensaver setting, which is a user
    configuration setting.

    However we want to exclude one particular PC, which is based in a reception
    area, a static menu display screen, from this policy setting or if need be
    the whole policy.

    What is the best way of dealing with this ?
    Jim, Aug 10, 2010
    1. Advertisements

  2. Jim

    Jim Guest

    Probably set up another GP which reverses this setting ("disabled") or
    applies a different setting; link this to the correct OU (probably SBS
    Computers?) and apply policy filtering so it's only applied to that
    computer account.
    Jim, Aug 11, 2010
    1. Advertisements

  3. Jim

    Jim Guest

    Had a bit of a go at this...beginning to lose the will to live etc etc..

    Followed some advice from elsewhere.

    Created a new security group 'Screensaver Disabled' and added the particular
    machine 'PC4' which we need to exclude the screensaver settings
    from..rebooted PC4.

    I can see that the PC4 is now listed as a member of this security group..

    Next up created a new GPO called 'No Screensaver' and linked it to:

    My Business>Computers>SBSComputers OU which contains the PC in question,
    PC4, along with all the other PC's obviously..

    Then on this particular GPO 'No Screensaver' removed the 'Authenticated
    Users ' from the Delegation tab and added the security group 'Screensaver

    Then edit the GPO 'No Screensaver' to enable 'Computer
    Configuration\Administrative Templates\System\Group Policies\User group
    policy loopback processing mode'
    and then set it to 'Replace'

    The edit the 'No Screensaver' GPO and 'Disable' the screensaver..

    Update everything ans restart PC4...

    Hmm not working...still has screensaver enabled with settings as modified in
    SBS Client Computers Enabled, sspipes.scr and 90 seconds.

    Gpresult on PC4 returns info under the Computer policies section saying that
    'No Screensaver' policy was not applied because it is Empty ???

    Obviously took a wrong turn somewhere..

    Anyone got any better ideas as to how to do this ?

    Just want to have screensaver policy which applies to all PC's on the SBS
    domain apart from an individual machines which are excluded.
    This needs to be machine based as opposed to user based though I am aware
    that this is a user policy setting as such
    Jim, Aug 11, 2010
  4. Jim

    Jim Guest

    Might security filtering be a better bet ?

    Create a seperate GPO for the screensaver settings and then exlude the
    particular PC through security filtering on that GPO ?
    Jim, Aug 11, 2010
  5. Jim

    Kerry Brown Guest

    That should work.
    Kerry Brown, Aug 11, 2010
  6. Jim

    Jim Guest

    Hi Kerry,

    Tried that too, didn't work..

    Is that because it's a user configuration settings as opposed to a computer
    configuration setting and I'm actually trying to exclude/deny a computer in
    the ACL security as such.

    You'd think this ought to be fairly simple but I've read so many conflicting

    I think it needs loopback to be involved somewhere so as to apply a user
    configuration settings back onto the the computer as such..

    Anyone got any links to any info on this ?

    Basically we've modified the SBS Client Computer Policy so that under the
    user configuration settings the screensaver is turned on and set to a
    particular timeout.

    However we have a requirement for a certain PC to be excluded from these
    particular settings.

    Should we abandon trying to set this in the SBS Client Policy and setup a
    seperate Screensaver Policy ?

    And then use loopback processing ?

    As mentioned before I've had a bit of a forray into that earlier but it
    didn;t seem to want to work.

    Some pointers might be helpful.
    Jim, Aug 11, 2010
  7. Jim

    Kerry Brown Guest

    I didn't realise that was a user setting. I should have checked. Yes, you'd
    need to put the computer in a separate OU and use loopback processing in a
    GPO in that OU. Note that when using loopback processing it's a good idea to
    set the deny read permission for that group policy for domain
    administrators. You can lock your self out of the computer if you don't.
    Kerry Brown, Aug 11, 2010
  8. Jim

    kj [SBS MVP] Guest

    Found recently that this works better using group policy preferences
    (registry settings) and item level targeting (computer or security group
    with computer members). In my case client had five different sets of screen
    saver computer groups all needing there own specific setting. Moveing them
    into sperate OU's wasn't an option.and some undesireable loopback processing
    side effects

    Workstations all need to support group policy preferences by OS and required
    patches of course.
    kj [SBS MVP], Aug 11, 2010
  9. Jim

    Jim Guest

    Hi KJ,

    Yes, I've found it somewhat unpredictable too..

    Where's a good resource on the method which you are describing ?

    Also...what's all this about needing to jump ship to a new board ?

    Jim, Aug 11, 2010
  10. Jim

    kj [SBS MVP] Guest

    Well it is predicatble, but may not be desireable when the user and the
    computer are in different OU's and there are user policy settings. Loopbacks
    can result in predictable, but unintended results.

    Group policy *preferences* in technet make for a good read. You need to use
    a Win7 (Vista, or 2008+) GPO managment and then explore the registery
    settings. HKCU is a workable registery setting and where the Screen Saver
    settings are needed. The next tidbit is the "item level targeting" feature
    of preferences. Basically you are targeting the preference settings at one
    of the many filterable objects - kinda like a WMI filter without the
    overhead and difficulty. Item level targeting should also be covered at
    least to some degree in the Technet Article. In this case you would item
    level target a computer account or a security group with the computer
    account as a group member.

    Newsgroups are closing down. Thought they had already. You will want to
    switch over to the forums. For SBS see my sig line below.
    kj [SBS MVP], Aug 11, 2010
  11. Jim

    kj [SBS MVP] Guest

    kj [SBS MVP], Aug 11, 2010
  12. Jim

    Jim Guest

    This is SBS 2003... first thing I read was that this was new to Windows
    Server 2008..

    Does it apply to 2003 also ?

    Looks good though..

    Jim, Aug 12, 2010
  13. Jim

    Steve Foster Guest

    GP Preferences can be used in a Windows Server 2003 environment, as
    long as you have at least *one* Vista/7/WS2008 (or later) box in there

    You need that because those are the OSs that support creation and
    management of GPP settings (ie you cannot *administer* GPP from an
    SBS2003 box).
    Steve Foster, Aug 12, 2010
  14. Jim

    Jim Guest

    Hi Steve,

    Just checking, I don't think so..

    Is there any mileage in still trying to do this in GPMC in SBS 2003 ?

    We can move the PC in question into a new OU, that wouldn't be a problem.

    I was thinking along the lines of returning the SBS Client Computers GPO
    back to normal, ie removing the screensaver settings and leaving this GPO

    Making a new 'Screensaver Policy' GPO and just creating the settings
    required for the bulk of the domain PC's in there.

    Then making a new OU for the PC in question that requires different
    screensaver settings to the others.

    Move the PC into this OU.

    Then create and link another GPO to this OU called 'Different Screensaver
    Policy' GPO with the different required screensaver settings..

    Then enable loopback processing on this 'Different Screensaver Policy' GPO.

    The I need to edit the scope or delagates on this GPO don't I ?

    This is where I'm getting a bit confused..

    I gather I need to remove Authenticated Users and somehow add the particular
    PC ?

    Do I add the PC as such or make a security group and put the PC in it and
    then add the security group ?

    I think this is where things are getting mixed up.

    Jim, Aug 12, 2010
  15. Jim

    kj [SBS MVP] Guest

    As Steve said, Preferences need to be done in an uplevel GPMC.

    Because the screen saver settings are user policies they normally apply with
    out regard to what computer the user loggs on to.

    So, to have one computer get special settings from all users the non GP
    preference method is a loopback policy applied to the computer. That's what
    was described earlier..(Steve?) If you don't have and can't get an up level
    client then that's the approach that will be needed.
    kj [SBS MVP], Aug 12, 2010
  16. Jim

    Steve Foster Guest

    The whole point of Group Policy Preferences is to do a bunch of stuff
    that's really hard in GPO, as well as allowing for optional choices (eg
    you can use GPP to set up defaults, but still allow users to tweak [if
    you wish]).

    If you really want to do this via GPO, don't set it up on computers at
    all. Use a designated, locked-down account for the reception PC
    (something you should be doing anyway), and build the GPO to apply to
    that *user*.

    You really don't want to get into loopback processing when there are
    other simpler methods.
    Steve Foster, Aug 13, 2010
  17. Jim

    Kerry Brown Guest

    I don't know why everyone is averse to loopback processing. It's a very
    effective way to lockdown public computers. I've used it in the exact
    situation the OP describes as well as in libraries, youth centers, etc. Yes,
    the first time you use it, it can be tricky to figure out. Once you figure
    it out it's not that complicated and allows you to lock down a computer or
    group of computers in a very granular manner.

    Kerry Brown
    MS-MVP - Windows Desktop Experience: Systems Administration

    Kerry Brown, Aug 13, 2010
  18. Jim

    Jim Guest

    OK Kerry, I'll give it one last shot..

    Where am I going wrong then ?

    I've a feeling it's down to the permissions on the policy, or perhaps the
    way I'm going about it..

    What steps would you take to try and acheive what I am looking to do ?


    Jim, Aug 13, 2010
  19. Jim

    Jim Guest

    I've read this a couple of times and understand that this is partly what I
    need, but it's a bit breif, I'm wondering if there are any other resources
    which may go into what I'm trying to do in a bit more detail.

    Jim, Aug 13, 2010
  20. Jim

    Jim Guest

    Getting closer...?

    Jim, Aug 13, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.