Need to block a User GP for certain Machines
-
I have a Windows Server 2008R2 Domain & Forest level. Plan is to upgrade the domain this year because of 2008R2 going EOL next year.
I have a GPO called Sleep that applies to Users that locks users screens after a certain period of time. We want this on all of our client machines, but not the ERP servers. The user RDPs into the ERP servers to perform their business tasks. Is there a way of excluding the GPO from applying to the ERP servers?
-
You'd exclude these devices in the same manner you'd exclude users, either by setting an exclusion rule or by GPO design and filtering.
-
-
Top level domain GPO's will of course still affect the servers and users. Because they would cascade down from the top level.
So you can either put users and systems outside of the scope, or by denying them on the policy.
How this would work on an system that is accessed via RDP would be the tricky part though because the user is still using their one account. And the GPO is written as a user policy that is affecting not only their desktops, but the RDP server (and their accounts on it).
-
You can use the delegation tab on the GPO.
If we know that there will be objects that need to be excluded, we'll make an exclusion group. Then grant that group allow for Read and deny for "Apply Group Policy."
-
Well, I should've read @DustinB3403 's link. It's the same thing as what I posted.
-
@NerdyDad I have been wanting to do this for awhile, just haven't had the time to set it up. I need to force a lock for people that will just leave their system unlocked all the time. Overnight, weekend, holidays, vacation, etc.
Where is the setting located? Depending on what type of setting it is, you might be able to use item level targeting.
-
@wrx7m : That's a simple one.
Go to Computer Config > Policies > Windows Settings > Security Settings > Local Policies > Security OptionUnder Interactive logon: Machine inactivity limit set the timeout that you'd prefer.
Now, the above will only work for Server 2012 and above and Windows 10. If you're running 2008 through R2 or if your workstations are still Windows 7 then you'll have to do the following:
Computer Config > Policies > Administrative Templates > Personalization:
Enable Screen Saver
Password protect screen saver
Screen saver timeout (the important one)
Force specific screen saver (blank screen) -
You can use Loopback Processing also.
https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
