Florian
Thu Jul 10 23:45:48 PDT 2008
Jim,
Jim Mutdosch schrieb:
> Ok this is about how far I got before then I'm lost. I create and link a gpo
> here and named it screensavers. I have that GPO and default domain policy
> GPO. The screen saver is listed below the default if that even matters. Ok
> what I want is basically everything to stay the same in the domain but to add
> say 80 workstations with the password/lockout policy. So it the screensaver
> GPO I gpedit and setup the screensaver settings and such and leave the
> default the way it is. I basically want some worksations to have default
> settings with password/lockout policy and some somestations to just have
> default. Sorry if this is stupid questions but I'm not sure how one overides
> the other or how to link them or what I ened to do next. Thanks for the help
> and patience.
You seem to confuse a few things. So basically we're talking about
domain policies. I referenced gpedit there which is only used on
stand-alone machines for local Group Policy creation.
Let's step back for a moment: you basically have two groups of users.
Where are those users and how are they organized? Are they in the
default "Users" container? You know, you can create Organizational Unit
(OUs) in the domain to group users and computers. To those OUs, you can
link GPOs which in this case would be your best approach. Linking the
screensaver policy to the domain next to the Default Domain Policy is
something I wouldn't do as it's more work.
So, assuming you can create a new OU, move all users that need a special
screensaver setting into that OU. Once they're in, create your
screensaver policy to that OU and define the settings. You're done then.
Only users in that OU will get the settings. Others won't.
If you're not able to create a new OU or seperate the two groups of
users, things get a little more complicated. You then have to apply the
policy to the common parent object (which is an OU if the users are all
in one OU - or the "domain" if they're in the "Users" container). I
still suggest you put the users into a new OU (even if you can't
seperate them). Once done that, you create a security group called
"screensaver users" and put the appropriate usres in there. You then go
create the Group Policy at the OU all user accounts are in. After making
the settings, you need to tweak permissions on the GPO around: users
need "Read" and "Apply Group Policy" permission on the GPO to apply it.
You basically kick "Authenticated Users" out (which is default) and add
the "screensaver users" in there with "Read" and "Apply" permissions.
Like that, only those users in the security group will apply the policy.
More on that procedure which is called "security filtering" here:
http://www.frickelsoft.net/blog/?p=28
Anyway, I recommend you try to seperate the users. If there are
questions left, feel free to ask.
cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
Use a newsreader!
http://www.frickelsoft.net/news.html
Maillist (german):
http://frickelsoft.net/cms/index.php?page=mailingliste