Multiple AD Group Policy Screen Lock Policies

I am looking to have multiple screen lock policies one for X minutes and one for Y minutes, is this possiable, and how can I configure this?

Yes you can do this. A few ways are possible. From memory the screen saver policy  is user based rather than computer based. 
You can create two GPO's and configure the screensaver setting you want in both. Then you can do one of two things.
1. apply each policy to a different OU where the users reside
2. create two security groups - one for each GPO. Then remove the authenticated users group from the GPO security settings and add your new security group to the GPO and give it read and apply group policy. Then add your users to which ever group you want.
Apply the GPOs to either a user OU, or domain level - which ever works best.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:

Similar Messages

  • Group Policy and GroupWise Attachments

    My company uses the "Run only allowed Windows Applications" feature from Group Policy to lock down what can be run on our workstations. We have 2 main policies, a standard (lockdown) policy and an admin (open) policy.
    Ever since a 7.0.2 GroupWise client/server upgrade, under my lockdown policy some of my users have complained that when they click the attachment button in GroupWise it no longer goes to the location of the last attached document, instead it goes to a default location. It might be the D drive, the GroupWise directory, it changes from computer to computer. I have confirmed that this is the behavior of the lockdown policy, and when I switch to the open policy the attachment button goes to the previous attachment location as is expected.
    I've placed addrbook.exe, grpwise.exe, gwmailto.exe, gwreload.exe, gwsync.exe and notify.exe in my allowed list for executables and can't figure out what I might be missing. In the past I ahve found OCX and DLL files that have had to be specifically added to the policies as well to get certain functions to work, is it possible that this may be the case in my situation or could it be a completely different policy that I should be looking at?
    I'm getting ready to push the 8.0.2 clients to my users and this is something that I'd like to try to resolve before I do that push. Thanks!

    I just tore apart my group policy and found that using the Hide These Specific Drives and hiding the C: drive is what is causing this attachment behavior issue. Any ideas why it is causing this and any possible work arounds other than unhiding the C: drive?

  • I can't determine how a group policy is being applied. Please help. Thank you.

    Hi,
    I'm having a problem trying to find how a particular policy is being applied on my domain (I've inherited this domain).  When ever a user logs into a domain, the computer get's a new local group policy.  One particular attribute is that the local
    admin account get's renamed:
    I can't figure out where it's coming from.  I've run gpresult, and I'm assuming it's the default domain policy.
    But when I go to the domain controller and look at the default domain policy, the entry is empty:
    I'm really at a loss.  However, I really don't think it's the default domain policy, but I can't figure out what else it could be?
    Any help would be greatly appreciated.  Thanks!!!  -Tim

    Does this help
    C:\Users\***>gpresult /z
    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001
    Created On 2/12/2015 at 1:57:06 PM
    RSOP data for ****\*** on H9MHD12 : Logging Mode
    OS Configuration:            Member Workstation
    OS Version:                  6.1.7601
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\***
    Connected over a slow link?: No
    COMPUTER SETTINGS
        CN=H9MHD12,CN=Computers,DC=***,DC=com
        Last time Group Policy was applied: 2/12/2015 at 1:03:12 PM
        Group Policy was applied from:      ***.***.Com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        ****
        Domain Type:                        Windows 2000
        Applied Group Policy Objects
            Default Domain Policy
            Local Group Policy
        The computer is a part of the following security groups
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            H9MHD12$
            Domain Computers
            System Mandatory Level
        Resultant Set Of Policies for Computer
            Software Installations
                N/A
            Startup Scripts
                N/A
            Shutdown Scripts
                N/A
            Account Policies
                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  42
                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  N/A
                GPO: Default Domain Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  N/A
                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  1
                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  N/A
            Audit Policy
                N/A
            User Rights
                N/A
            Security Options
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Not Enabled
                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled
                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled
                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled
                GPO: Default Domain Policy
                    Policy:            NewAdministratorName
                    Computer Setting:  Enabled
                N/A
            Event Log Settings
                N/A
            Restricted Groups
                N/A
            System Services
                N/A
            Registry Settings
                N/A
            File System Settings
                N/A
            Public Key Policies
                N/A
            Administrative Templates
                GPO: Local Group Policy
                    KeyName:     Software\Policies\Microsoft\Windows\ScPnp\EnableScP
    nP
                    Value:       0, 0, 0, 0
                    State:       Enabled
    USER SETTINGS
        CN=*******,OU=Users,OU=Corporate,OU=***,DC=***,DC=com
        Last time Group Policy was applied: 2/12/2015 at 1:33:14 PM
        Group Policy was applied from:      ***.***.Com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        ***
        Domain Type:                        Windows 2000
        Applied Group Policy Objects
            Default Domain Policy
        The following GPOs were not applied because they were filtered out
            Local Group Policy
                Filtering:  Not Applied (Empty)
        The user is a part of the following security groups
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
        The user has the following security privileges
            Bypass traverse checking
            Manage auditing and security log
            Back up files and directories
            Restore files and directories
            Change the system time
            Shut down the system
            Force shutdown from a remote system
            Take ownership of files or other objects
            Debug programs
            Modify firmware environment values
            Profile system performance
            Profile single process
            Increase scheduling priority
            Load and unload device drivers
            Create a pagefile
            Adjust memory quotas for a process
            Remove computer from docking station
            Perform volume maintenance tasks
            Impersonate a client after authentication
            Create global objects
            Change the time zone
            Create symbolic links
            Increase a process working set
        Resultant Set Of Policies for User
            Software Installations
                N/A
            Logon Scripts
                N/A
            Logoff Scripts
                N/A
            Public Key Policies
                N/A
            Administrative Templates
                N/A
            Folder Redirection
                N/A
            Internet Explorer Browser User Interface
                N/A
            Internet Explorer Connection
                N/A
            Internet Explorer URLs
                N/A
            Internet Explorer Security
                N/A
            Internet Explorer Programs
                N/A

  • Mandatory Profiles, Group Policy Preferences, Synchronous processing

    Hello,
    I'm using Windows 8.1 Update to setup a lab of computers that will use standard user accounts with Mandatory Profiles and Group Policy to lock them down. Everything is working great with the exception of Group Policy Preferences. I am using GPP printers
    to add a shared printer to the computer lab and set the default. Due to asynchronous processing, the GPPs are applied only every other time. Since they are mandatory profiles, the settings are wiped out every time.
    I have enabled the GPO setting "Always wait for network at startup and logon" but it doesn't seem to have any effect. The Mandatory Profile is assigned in the user's AD object.
    From everything I can find on the issue, the problem seems to stem from the synchronous processing/asynchronous processing of group policy preferences, which explains the consistent alternating working. Fast logon optimization is always off when using a
    roaming user profile, which is the case of these standard users, to my understanding. I also configured cached logons to '0', disabling cached logons. The computers (configured to automatically sign in with SysInternals' Autologon) received an error (no logon
    servers available) trying to sign in before the network was ready, showing that they are ignoring the setting. Even with waiting for the network and signing in manually, the GPP printers are only successfully added every other time.
    http://technet.microsoft.com/en-us/library/jj573586.aspx
    2008R2 functional level
    I have created and recreated GPOs to test creating them on the DC and a Windows 8.1 Update computer, with no change in outcome.
    I have also tried setting Startup policy processing wait time, run logon scripts synchronously, and GPP Printers processing behaviors. For the latest testing, I created a new OU with blocked inheritance and created a new GPO with just the key settings to
    wait for network, install the printers, and use the mandatory profile. It still only worked every other time.
    I am currently at a loss for a good way to add the printers to the mandatory profiles. I have hacked them into the HKCU of the mandatory profile but I feel that is a kludge solution and not very sustainable. I have tried a logon PowerShell script but had
    no luck.
    TL;DR: Win8.1Update, Mandatory Profiles, standard user: Every other restart, GPP Printers are added perfectly and the desired outcome is reached. Every other, other restart the printers are not added.

    Hi,
    I'll involve other engineer to this thread for more discussion about your problem. Please wait patient.
    Thank you for your understanding!
    Roger Lu
    TechNet Community Support

  • Lock Screen Group Policy - Error code 0X80070002

    Hi
    I'm trying to update the workstation policy (2008R2) to show a new Lock Screen for our users.
    I have two policies:
    -Windows 7 Workstation Policy
    -Windows 8.1 Workstation Policy
    It was no problem for our Windows 7 machines.
    Windows 8.1 however wouldn't change.
    The picture downloads successfully to the client directory I specified in the policy, resolution and size are ok.
    I've tried deleting the sysdata folder on test machines (This left me with a blue lock screen, but still better than what they chose ;)
    I've tried default and unique filenames, and different folder locations under 'Force A Specific Lock Screen'
    I've disabled/enabled 'Force a Specific Lock Screen'
    I came across this warning on the client test machine:
    The computer 'backgroundDefault.jpg' preference item in the 'Win8.1 Policy}' Group Policy Object did not apply because it failed with error code '0x80070002 The system cannot find the file specified.' This error was suppressed

    Hi ,
    Can you please post the gpresult report here? And also ensure there is no policy processing failure in the problematic machines. That you can verify by seeing the gpsvc logs.
    Regards, Prabhu

  • SSL Multiple Tunnel Groups with Multiple group policies

    Hello folks.
    Have a query and cant seem to find an answer on the web.
    I have configured SSL Clientless VPN on a lab ASA5510, using 2 tunnel groups, one for enginneers and one for staff, mapped to 2 different group policies, each with different customisation. I have mapped the AD groups to the tunnel groups using both ACS and now LDAP (currently in use), both working successfully, using group lock and LDAP map of IETF-Radius-Class to Group name ensures engineers get assigned to the engineers tunnel group and staff get mapped to the staff tunnel group only.
    The question i have is....is there a way to use a single tunnel group to map the user based on AD group which will then use the correct Group-policy (1 tunnel group to multiple group-polciies). I have seen examples of doing this with different URLs but want to know if they can all use the same URL and avoid using the drop down list using aliases.
    It may be a simple "No" but it would be nice to know how to do it without using the URLs or drop down list. Users are easily confused ......

    Easy. Disable the drop-down list, and use the authentication-server (LDAP or Radius) in the DefaultWEBVPNGroup. By default when you browse to the ASA, it will be using the DefaultWEBVPNGroup. Let LDAP or Radius take care of the rest.
    You will get the functionality you are looking for.
    HTH
    PS. If this post was helpful, please rate it.

  • Using multiple AAA group policies

    I am using the IETF class 25 option on ACS 4.x for VPN access. It's working well but I'd like to the best way to assign mutiple policies for a group.
    For example I'd like to give group A users only IPSEC access and group B users IPSEC and SSL. IPSEC access will be indentical so I prefer not to create another profile and share the policy name.
    Thanks

    hmmm...
    so u r saying you want to lock the user in a tunnel group? you can push the group-lock attribute in that case.
    or is it like you want to push more than one group-policy to a user? if so, then i don't think you can do that. i.e. assign multiple group-policy to a user connecting to a tunnel-group is not possible.
    how many tunnel-groups you have? and what is it exactly that you want to achieve?
    Regards,
    Anisha
    P.S.: Please mark this thread as resolved if you feel your query is answered.

  • Using multiple LISTBOX in single Policy of Microsoft Group Policy .adm file?

    OK, I am writing a .adm file and here is code for a policy within a category
    CATEGORY !!A_CATEGORY
    POLICY !!A_POLICY
    KEYNAME "Software\Policies\ABC\ListBoxes"
    PART !!PART_1_Text LISTBOX
    ALUEPREFIX "FirstListBox"
    END PART
    PART !!DestPort_Label LISTBOX
    VALUEPREFIX "SecondListBox"
    END PART
    END POLICY
    END CATEGORY
    The .adm file is successfully loaded in group policy editor without any problem and shows two list boxes too. I can give input for both list boxes and apply/ok without any problem. The real problem is that on registry location "Software\Policies\ABC\ListBoxes",
    there comes only registry values as SecondListBox1, SecondListBox2, SecondListBox3 .... and no values for FirstListBox. Ideally, there should also be FirstListBox1, FirstListBox2, FirstListBox3 ...
    I did some experiments and found that only the registry values with last PART (i.e. SecondListBox) are shown in registry and all other PART values before that are ignored. Lastly, the problem is only with multiple LISTBOX in a single policy. I can use multiple
    CHECKBOX, COMBOBOX, DROPDOWNLIST, EDITTEXT, TEXT and NUMERIC within a single policy without any problem both in Windows 2003 Server and Windows 2008R2 Server
    Baig

    > and no values for FirstListBox. Ideally, there should also be
    > FirstListBox1, FirstListBox2, FirstListBox3 ...
    Since you do not use "ADDITIVE" it seems the whole key is cleaned out
    before processing the second list. Give it a try :)
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • How to use Group Policy to remove the shutdown button on the logon screen

    Environment:  Shared use computers running Window 7 Professional and MS office Suite; Windows 2008 Standard server, Windows 7 EC Domain Policy and MS Office 2007 ADML Template downloaded from Microsoft. WIndows 7 Accounts OU.
    I am in the process of developing a shared use computer lockdown policy for several Windows 7 computers that will made available in my client's computer lab.  I need to use a group policy setting to remove the Shut Down button on
    the logon screen of the Windows 7 client computers.  I am editing the Windows 7 EC Domain Policy to user accounts in a Windows 7 Accounts OU that I created.  I am using the Group Policy editor in the Group Policy Management Console.  
    Please let me know the best practice for accomplishing this using Group Policy editor.
    Thanks.
    P.S. I tried a setting recommended in the following link in the Windows 7 EC Domain Policy which did not seem to work.
    http://www.windowsitpro.com/article/group-policy/can-i-use-group-policy-to-display-or-remove-the-shut-down-button-on-the-logon-screen-.aspx

    Hi Vernon,
    I tried the group policy you mentioned (Computer Configuration, Windows Settings, Security Settings, Local Policies, and select Security Options, "Shutdown: Allow system to be shut down without having to log on") and it worked on a Windows 7 client.
    Thus you may need to check if the group policy you created is actually applied to clients.
    A screenshot can be found here:
    http://cid-b7ed40feb32ba29f.office.live.com/self.aspx/.Public/desktop/Capture.JPG

  • Default Group Policy - Custom policies don't apply?

    We have some computers in TEST OU with password lockout after 4 attempts but it doesn't work.  If we disable the Default Group policy in the domain controller then it works.
    With the Default Group Policy enable, we run RSOP.exe and it does show the correct policies was applied but why it still doesn't lock the user accounts after 4 attempts?  There is no password lockout policy in the Default Group Policy.
    Thank you!

    > Local Group Policy
    This is present because someone opened gpedit.msc on the computer and
    configured something in there.
    > Not sure why, local policy applied to Windows 7 computer.  But for both
    > computers, the lockout policy is still not working.
    Because Account policies for domain users can only be changed at the
    Domain level, not at OU level. Account policies at OU level are only
    applied to LOCAL accounts, not to domain accounts.
    If you're running 2008 DFL, you can use FGPP and PSO.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Screen Saver Group Policy

    I am new to DC I want to implement screen saver on my domain PCs. Please tell me the way to configure/setting group policy for Domain Controller.
    Best Regards,
    Muhammad Arshad,

    Following you have to do:user configuration -> Policies -> Administration Templates -> Control Panel / Personalization  settings as follows:
    Enable Screen Saver : Enabled
    Force Specific screen saver : Enabled
    Screen Saver exe name : scrnsave.scr
    Password protect the screen saver : Enabled
    Prevent changing the screen saver : Enabled
    Screen saver timeout: number of seconds 1800 (30 minutes)
    Time out interval depends on your requirement.
    Regards, Prabhu

  • Bit Locker Implementation in Windows 8.1 machine using Windows server 2008 r2 server group policy.

    is it possible to enable the bit locker only for windows 8.1 machines through windows 2008 r2 server group policy ?
    Thanx and Regards,
    Shanif

    Hi Shanif,
    Yes, we can do this.
    Regarding how to enable Bitlocker via group policy, the following article can be referred to as reference.
    Cannot Save Recovery Information for Bitlocker in Windows 7
    http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx
    After configuring the settings, we can use security filtering or WMI filtering to apply the policy to specific computers.
    Regarding this point, the following blog can be referred to for more information.
    Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
    http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx
    Best regards,
    Frank Shen

  • How to Add multiple entry to the group policy security filtering

    How to Add multiple entry to the group policy security filtering
    Is there any way we can add multiple entry to the Domain group policy Security filtering tab.Currently its not allowing to add more then one entry at a time.
    Getting Error like "only one name can be entered,and the name cannot contain a semicolon.Enter a valid name"

    Hi
    Are you trying to add more users or groups through Group Policy Management Security Filtering tab?
    Try right clicking on the policy and then edit
    Then in Editor Right click on the name of the policy and Properties
    Security tab and add user or group from this tab. Just make sure if you are adding user or groups "Select this object type" has
    the correct option also "From this Location" is set to your entire directory not the local server.
    Update us with the above.
    Thanks

  • I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill f

    I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill forms?

    Well, try this (I was able to fix my with these steps):
    Go Utilities > Disk Utility
    Select your Startup Disk, e.g. Macintosh HD
    Then, under the First Aid Tab, click Verify Disk Permissions.
    If there are errors, then click repair Disk Permissions.
    After it is done, restart the computer and see if your problem is resolved.
    I hope this help.
    Zeke
    www.ZekeYuen.com/blog/

  • How to disable print screen by group policy?

    I tried with below steps however its not working. Please assist me on this?.
    Step one:  Create a Reg_binary entry using the info below:
    (reg file: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
    “Scancode Map”=hex:00,00,00,00,00,00,00,00,04,00,00,00,00,00,2a,e0,00,00,37,e0,\
    00,00,54,00,00,00,00,00)
    Step two: Link all OU sites to this new GPO policy
    Do one of the following:
    1. To link to a domain or an organizational unit, open Active Directory Users and Computers.
    2. In the console tree, right-click the site, domain, or organizational unit to which you want the Group Policy object to be linked.
    3. Click Properties, and then click the Group
    Policy tab.
    4. To add the Group Policy object to the Group Policy Object Links list, click Add. This opens the Add
    a Group Policy Object Link dialog box.
    5. Click the All tab, click the Group Policy object that you want, and then click OK.
    6. In the properties dialog box for the site, domain, or organizational unit, click OK.

    Hi Dinesh,
    To disable print screen, we can create a .reg file containing:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
    "Scancode Map"=hex:00,00,00,00,00,00,00,00,04,00,00,00,00,00,2a,e0,00,00,37,e0,\
     00,00,54,00,00,00,00,00
    Then, we can apply the registry setting through a startup script via group policy, or if our domain controllers is Windows Server 2008 or above, we can utilize Group Policy
    Preferences Registry extension to deploy the registry setting.
    Regarding this point, the following thread can be referred to for more information.
    To Disable Print Screen through Group Policy
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/03af5c6a-636a-43e4-95dd-183331c0d4ac/to-disable-print-screen-through-group-policy?forum=winserverGP
    Best regards,
    Frank Shen

Maybe you are looking for

  • SHAMEFUL issue on a 6230i

    Apparently, YOU CAN TRASH THIS PHONE COMPLETELY BY JUST SENDING AN MMS. This is what happened to me. I took a photo, chose "send as MMS", and my phone immediately rebooted itself. Since then, I am now unable to use the phone because it reboots immedi

  • Duplicate data in the same table

    Hi, I have one table like : bq. TABLE : \\ a1 azerty clavier \\ a2 toto1 voiture \\ ... I need to transform the table into something like this : bq. TABLE : \\ a1 azerty clavier \\ a2 toto1 voiture \\ b1 azerty clavier \\ b2 toto1 voiture \\ ... Do y

  • Need help for Flash quiz with score and timer

    Greetings, I need to urgently create a flash game with 10 questions, 3 answers per question. At the end of the quiz I need to get the time the quiz was completed for, what answers the player answered correctly and the time its completed into a databa

  • XI - 128 Bit encryption

    Whether XI (3.0, SP 16) is capable of doing 128 bit SSL Encryption? We are in the process of making a bridge with our external partners (B2B). We want to install Certificates, and want to do the Encryption? Who will install the Certificates? From whe

  • Tracking Special Pricing Usage

    What's the best way to track special pricing in SAP when our quotations do not have set quantity usage and don't always have a net price and instead might have a discount. Is it possible to add a field to orders and enter our quotation numbers in it