Hi everyone,
I have been looking around for a few days and not found a good answer to this. We have a couple screens saver settings (60min, and no screen saver with passwords and a 60 min without password) that we would like applied to specific machines and have them overwrite the default (10 minutes from domain level). From what I have seen I will need to use loopback processing for this as it is a machine setting.
Our tree is setup as follows:
Domain
-Computer OU (not folder)
--Location OU
---Computers that need Screensavers
In location OU1 is where we all the computers that we would like these different settings to apply are are currently residing.
I have configured a policy for each of these screensaver settings appropriately and have linked them to the Computer OU. Their Security filtering is set to a group of specific machines in the Location 1 OU (to only have loopback apply to those machines) and Domain Users (To give permissions to change the screensaver).
The problem I am having is that no matter which of the 3 policies is applied it turns on loopback, and then all 3 of them apply in order leaving the NoScreensaver policy as the result (as it is processed last).
From what I can tell this makes sense, as loopback means all policies associated with the machine (which they all are as they are linked to the OU above it) will process, and Domain Users means the logged in user will have permission to the user setting allowing it to run, regarless of the fact that the computer setting on that specific one is blocked (which won't matter as that setting is already set).
The only way around this that I can see would be to create a seperate sub OU for each of these 3 policies and move the computers into them and link at that level.
This becomes a problem as the boss would also like a machine controled USB removable drive access (locked down in group policy but wants specific machines to be able to access them). This is also controled by a user setting and would require a loopback policy as well, which would then require a subkey under each of those 3 OUs and a seperate one just under the location OU (for ones needing it without needing a different screen saver). That is a total of 7 containers just for managing screensaver and usb key and it just seems like a messy solution.
Is there a better way of doing this? Did I miss something?