ScreenSaver timeout problem via GPO

Giganews Newsgroups
Subject: ScreenSaver timeout problem via GPO
Posted by:  scott7 (scot…@discussions.microsoft.com)
Date: Mon, 7 Jan 2008

I have about 4 laptops at my company with special needs.  I need the screen
saver to be totally disabled on these 4.  They are used for PowerPoint and
special assignments and the screen needs to stay on and never lock.  Let me
give you some facts about these laptops so you know the situation.

1. The laptops are joined to a 2003 domain and live in various OUs.
2. There is a GPO at the domain level that activates a screen saver at 15
minutes and requires a password to get back in.  This is set in user
configuration, administrative templates, control panel, display, then screen
saver enabled, screen saver password enabled, and timeout enabled 900
seconds.  This policy is not enforced so if a lower OU blocks inheritance it
will not run.
3. None of the OUs these laptops live in block inheritance so the domain
policy to enable the screen saver will run.

I tried to create a security group in active directory and a new GPO (using
security filtering to only the new group) with a loopback policy (I’ve tried
replace & merge) changing these screen saver settings.  The new GPO was put
at the domain level.  It is set up to disable the screen saver under user
configuration.  I had to take out authenticated users and put in only the new
group (security filter) so it would not run on the entire domain.  I tried to
place the PCs in the group and the GPO won’t run at all.  If I put a user in
the group the new GPO will run, but only if I put it in order to run after
the other GPO that turns on the screen saver.  With this said I turned off
loopback processing and it would still run if in the correct order.  So
making a GPO with loopback in the domain does not seem to work.  I have run
gpresult and saw the PCs are in the security group, but the new GPO is not
listed as running.  If the user is in the group it runs in the order I set in
GPM for the domain.

Since the first method did not work I decided to try something else.  Since
we only have 4 laptops I decided to try and set a local GP on the laptop
itself using loopback processing.  I found one of the laptops and logged in
as a local admin.  Then I did the start, run, and typed gpedit.msc.  I set
the computer configuration, administrative templates, system, group policy
area to use loopback.  We want to use merge so domain and OU policies get
combined with my new screen saver policy.  On the local laptop I set the
screen saver policy to disabled in the user configuration area.  I still had
no luck.  I tried loopback with replace and merge, but the domain screen
saver policy still won causing the screen saver to activate at 15 minutes
with a lock.

One more test I tried was to put the laptop in an OU that had blocking
inheritance set up.  Since the domain policy for the screen saver activation
and lock was not enforced my laptop local policy worked fine.  When in the
blocked OU the domain policy never ran and the laptop used my local policy to
disable the screen saver.

I have searched the web and everything I read about loopback sounds like
what I’m doing should work.  Especially when I set the policy on the local PC
I thought the loopback makes my screen saver setting to disable run last and
win.

Replies