Active Directory GPO - Enforcing Password Protected Screen Savers

[Alan Truism]

I created a GPO to enforce a password protected screen saver.

under User Configuration\Administrative Templates\Control Panel
\Display i set the screen saver, timeout, and password options


the wierd thing is this, when I link this policy to an existing
Organizational Unit [which has additional GPO's linked to for
software installation] then the setting propagates to the workstation
within that OU.

However, if I create a new OU, that isn't linked to the other GPOs,
and simply link the password GPO. The password settings will not
propagate down to the workstations within it.

Why would a a GPO work fine for one OU and not for another?

 

[bigstyle [MVP]]

I created a GPO to enforce a password protected screen saver.

under User Configuration\Administrative Templates\Control Panel
\Display i set the screen saver, timeout, and password options


the wierd thing is this, when I link this policy to an existing
Organizational Unit [which has additional GPO's linked to for
software installation] then the setting propagates to the workstation
within that OU.

However, if I create a new OU, that isn't linked to the other GPOs,
and simply link the password GPO. The password settings will not
propagate down to the workstations within it.

Why would a a GPO work fine for one OU and not for another?

Hi,

a password policy is unique in a domain so a GPO password (for domain
user) has no effect on AD password but only on local password policy
(of computers member of the specified OU)

 

[Alan Truism]

I created a GPO to enforce a password protected screen saver.

under User Configuration\Administrative Templates\Control Panel
\Display i set the screen saver, timeout, and password options

the wierd thing is this, when I link this policy to an existing
Organizational Unit [which has additional GPO's linked to for
software installation] then the setting propagates to the workstation
within that OU.

However, if I create a new OU, that isn't linked to the other GPOs,
and simply link the password GPO. The password settings will not
propagate down to the workstations within it.

Why would a a GPO work fine for one OU and not for another?

Hi,

a password policy is unique in a domain so a GPO password (for domain
user) has no effect on AD password but only on local password policy
(of computers member of the specified OU)

I'm not changing domain wide password policies through the GPO. I'm
only pushing out Screen Saver settings to the workstations.

| under User Configuration\Administrative Templates\Control Panel
| \Display i set the screen saver, timeout, and password options

The odd thing is that the GPO works when linked to one OU, but not to
another OU

Why would it work for computers placed in one OU but not the other OU?

 

[Paul Bergson [MVP-DS]]

Try running the Resultant Set Of Policies (RSOP) against an object with in
this new OU.

http://www.microsoft.com/downloads/...24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

RSOP will examine what policies should be applied and detail them in its
output.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mark Renoden [MSFT]]

Hi

The reasons may be varied and could be anything from name resolution issues
to GPO permissions to policy confict to client machine build. To isolate,
try moving a machine from the OU in which it worked to the OU in which it
doesn't work. What happens?

Using GPMC, you can use the Group Policy Results wizard to generate a report
and this will often tell you the reason a policy was or was not applied.

A more detailed analysis would include the use of user environment debug
logging -

221833 How to enable user environment debug logging in retail builds of
Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833


--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

I created a GPO to enforce a password protected screen saver.

under User Configuration\Administrative Templates\Control Panel
\Display i set the screen saver, timeout, and password options

the wierd thing is this, when I link this policy to an existing
Organizational Unit [which has additional GPO's linked to for
software installation] then the setting propagates to the workstation
within that OU.

However, if I create a new OU, that isn't linked to the other GPOs,
and simply link the password GPO. The password settings will not
propagate down to the workstations within it.

Why would a a GPO work fine for one OU and not for another?

Hi,

a password policy is unique in a domain so a GPO password (for domain
user) has no effect on AD password but only on local password policy
(of computers member of the specified OU)

I'm not changing domain wide password policies through the GPO. I'm
only pushing out Screen Saver settings to the workstations.

| under User Configuration\Administrative Templates\Control Panel
| \Display i set the screen saver, timeout, and password options

The odd thing is that the GPO works when linked to one OU, but not to
another OU

Why would it work for computers placed in one OU but not the other OU?