ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Need to block a User GP for certain Machines

    IT Discussion
    group policy domain windows server 2016 windows server 2008 r2
    6
    9
    929
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NerdyDadN
      NerdyDad
      last edited by

      I have a Windows Server 2008R2 Domain & Forest level. Plan is to upgrade the domain this year because of 2008R2 going EOL next year.

      I have a GPO called Sleep that applies to Users that locks users screens after a certain period of time. We want this on all of our client machines, but not the ERP servers. The user RDPs into the ERP servers to perform their business tasks. Is there a way of excluding the GPO from applying to the ERP servers?

      wrx7mW pmonchoP 2 Replies Last reply Reply Quote 5
      • DustinB3403D
        DustinB3403
        last edited by

        You'd exclude these devices in the same manner you'd exclude users, either by setting an exclusion rule or by GPO design and filtering.

        1 Reply Last reply Reply Quote 0
        • DustinB3403D
          DustinB3403
          last edited by

          https://blogs.technet.microsoft.com/canitpro/2016/10/12/step-by-step-excluding-users-or-usergroups-from-group-policy/

          1 Reply Last reply Reply Quote 0
          • DustinB3403D
            DustinB3403
            last edited by

            Top level domain GPO's will of course still affect the servers and users. Because they would cascade down from the top level.

            So you can either put users and systems outside of the scope, or by denying them on the policy.

            How this would work on an system that is accessed via RDP would be the tricky part though because the user is still using their one account. And the GPO is written as a user policy that is affecting not only their desktops, but the RDP server (and their accounts on it).

            1 Reply Last reply Reply Quote 0
            • EddieJenningsE
              EddieJennings
              last edited by EddieJennings

              You can use the delegation tab on the GPO.

              If we know that there will be objects that need to be excluded, we'll make an exclusion group. Then grant that group allow for Read and deny for "Apply Group Policy."

              679c4118-5591-490f-899c-db5f3b365ca7-image.png

              1 Reply Last reply Reply Quote 0
              • EddieJenningsE
                EddieJennings
                last edited by

                Well, I should've read @DustinB3403 's link. It's the same thing as what I posted.

                1 Reply Last reply Reply Quote 0
                • wrx7mW
                  wrx7m @NerdyDad
                  last edited by wrx7m

                  @NerdyDad I have been wanting to do this for awhile, just haven't had the time to set it up. I need to force a lock for people that will just leave their system unlocked all the time. Overnight, weekend, holidays, vacation, etc.

                  Where is the setting located? Depending on what type of setting it is, you might be able to use item level targeting.

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    manxam @wrx7m
                    last edited by manxam

                    @wrx7m : That's a simple one.
                    Go to Computer Config > Policies > Windows Settings > Security Settings > Local Policies > Security Option

                    Under Interactive logon: Machine inactivity limit set the timeout that you'd prefer.

                    Now, the above will only work for Server 2012 and above and Windows 10. If you're running 2008 through R2 or if your workstations are still Windows 7 then you'll have to do the following:

                    Computer Config > Policies > Administrative Templates > Personalization:

                    Enable Screen Saver
                    Password protect screen saver
                    Screen saver timeout (the important one)
                    Force specific screen saver (blank screen)

                    1 Reply Last reply Reply Quote 1
                    • pmonchoP
                      pmoncho @NerdyDad
                      last edited by pmoncho

                      @NerdyDad

                      You can use Loopback Processing also.

                      https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/

                      1 Reply Last reply Reply Quote 0
                      • 1 / 1
                      • First post
                        Last post