[jaxisland]

I have a couple group policies configure that are being received by all computers. Now the trick is there, is one computer that I do not want to recieve the policies. I cannot get it to not receive the policy. Is there a way to make it so this computer will not recieve that one policy?

Thanks

[Advertisements]

you can create a new OU in AD just for that computer (and any othre computer that you don't want the GPO to be applied to) and move that computer to that OU...then make sure that the GPO isn't applied to that computer....OF COURSE...this implies that the GPO in question is made up of computer settings and not user settings...as the user settings in the GPO follow the user...irrespective of computer OU membership

[dsenette]

you can create a new OU in AD just for that computer (and any othre computer that you don't want the GPO to be applied to) and move that computer to that OU...then make sure that the GPO isn't applied to that computer....OF COURSE...this implies that the GPO in question is made up of computer settings and not user settings...as the user settings in the GPO follow the user...irrespective of computer OU membership

[jaxisland]

And there in lies the problem. It is a user setting. More specifically the domain computers have a screen saver after 40 mins that password protect. This is a computer that is in a conference room that all people in the company can access for meetings and such. They use their normal domain logins to access the network. The problem is, if someone forgets to log out, either they have to be tracked down to log out after the timeout or I have to keep doing as the admin. My question is I need a way to remove to settings for the screen saver and lock out that are set by Group Policy.

Thanks for the help

[dsenette]

....ech...i believe that there is a setting to stop the processing of group policy objects all together...but it's not sellective...it will block all GPOs from processing. i've got a similar setup to yours with my laptops for presentations and such...and i often times have to go and log someone out on it...a minor inconvenience...of course...the user needing access to the computer could always just shut it off and turn it back on thereby logging out the previous user..

you could create a "conference room" user so that everyone logging on to that machine would use the same user all the time...with an unchangable default password that everyone knows...and then give that user a folder on the network that everyone has access to...that way when they need a file or a powerpoint or whatever...they can just put a copy of it in that user's folder...and access it from the computer in the conference room...but that opens up a little bit of "data sensitivity" issues...they could also use usb drives to bring the files in there with them...or something like that

[jaxisland]

All good suggestions. We had a general user name and password that I am in the process of removing from my network. We are a Industrial Ethernet Hardware Manufacturer that creates our own software. The problem lies in that you have to be and admin to run our programs. This way the general username on the public computer was an admin login. Bad bad bad. So I removed the user and let people use their own login. I had a feeling that if it was a user setting there is nothing I could do about it, but its worth a shot.

As to blocking everything I have startup scripts and mapped drives I need to run at login. So I cant block everything. Argh this is so frustrating. If you know anything else I would appreciate it.

Thanks

[dsenette]

...if this computer is JUST used for meetings and presentations..you could remove it from the domain (heck unplug it from the network) and let people log on as a local admin...and transfer all files that they need via USB or cd maybe..

[jaxisland]

It is mainly used for that but we need it on the network because there are alot of company meetings in which they need access to network programs (databases, financial software, etc). It has to stay on the network unfortunately.

Thanks for the help

[jaxisland]

Is there anyway to have the screen saver lock out but also give you the option to log off or shut down?

Is there a script that I can run on that single computer to override the single group policy setting?

Had a couple brain storm sessions, let me know what you think.

Thanks

[dsenette]

the screen saver lockout should give you that option but it doesnt...and to my knowledge there's no way to do such a thing...

local group policy is always overrriden by domain policy so there's no local setting that would stop the processing of the domain policy...there's not really a way to block the polcy from being used (kind of the point)...