Loopback processing not working

ToChuck123

Hi all. I tried replying to a similar thread, but that doesn't seem to have
worked so I'm trying to post a new thread.

Here is the situation (it is almost identical to the situation described by
scott7).

Our workplace is increasing its security policies and we want everyone to
have their computer lockout after 15 min of inactivity (going to the
screensaver). However, there are some lab computers that should not follow
this rule as there are safety concerns.

I understand that loopback processing within a policy is the route to go for
this situation, and I have read up on it and tried to implement it. However,
I have not had any success with it.

Here is what I have done:

- I have a screensaver policy that is filtered to 3 security groups which
cover just about everyone in our active directory. Here is a list of
settings:

Administrative Templates
Control Panel/Display
Policy Setting
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name scrnsave.scr

Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver seconds:
900


This policy works (much to the chagrin of most of our employees).

- I have a second policy that I'm using to "turn off" the screensaver policy
via loopback processing. As I am testing, I'm not disabling the screensaver,
but rather specifing a different one so that the changes are apparent. Once
I get it working properly, I'll change it so that the screensaver is
disabled. The policy is applied to my computer (not a group, but when I get
it working I'll apply it to a group of computers we want to disable the
screensaver). Here are the settings for that policy:


Computer Configuration (Enabled)

Administrative Templates
System/Group Policyhide
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Merge

User Configuration (Enabled)
Administrative Templates
Control Panel/Display
Policy Setting
Password protect the screen saver Disabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name ssstars.scr

Policy Setting
Screen Saver timeout Disabled


When I use the modeling wizard, using my AD username, my computername, and
enabling loopback processing, the simulation reports that both policies are
being applied. However, when I log into my computer (using my AD username)
the "turn off" policy is not overriding the "turn on" policy (i.e. I don't
get the stars screensaver). If I change the security filtering to my AD
username (rather than my computername), I get the stars screensaver. But, of
course, this is not what I need to happen.

From what I've read from Microsoft and the various forums on the net, the
loopback processing should be pretty straightforward. I have no idea what
I'm missing here. I've had one of our other IT network people work with me
on this and neither of us see what we are doing wrong.

Any help would be most appreciated.

Thanks in advance
Chuck

Paul Bergson [MVP-DS]

Well you could just deny the right to apply the policy for the screen saver
to those machines you don't want it to apply against. The easiest way would
be to create a security group, place the computers in this group and then
deny this policy.

There is no need for a second policy, what is probably happening is the
first one is higher in priority so it never attempts to apply the second
one.

From
http://technet2.microsoft.com/window....mspx?mfr=true
"At the level of each organizational unit in the Active Directory hierarchy,
one, many, or no GPOs can be linked. If several GPOs are linked to an
organizational unit, their processing is in the order that is specified by
the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed
last, and therefore has the highest precedence."


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
news:30456165-3CD0-41D9-8BE3-3B5A723409B2@microsoft.com...
> Hi all. I tried replying to a similar thread, but that doesn't seem to
> have
> worked so I'm trying to post a new thread.
>
> Here is the situation (it is almost identical to the situation described
> by
> scott7).
>
> Our workplace is increasing its security policies and we want everyone to
> have their computer lockout after 15 min of inactivity (going to the
> screensaver). However, there are some lab computers that should not
> follow
> this rule as there are safety concerns.
>
> I understand that loopback processing within a policy is the route to go
> for
> this situation, and I have read up on it and tried to implement it.
> However,
> I have not had any success with it.
>
> Here is what I have done:
>
> - I have a screensaver policy that is filtered to 3 security groups which
> cover just about everyone in our active directory. Here is a list of
> settings:
>
> Administrative Templates
> Control Panel/Display
> Policy Setting
> Password protect the screen saver Enabled
> Screen Saver Enabled
> Screen Saver executable name Enabled
> Screen Saver executable name scrnsave.scr
>
> Policy Setting
> Screen Saver timeout Enabled
> Number of seconds to wait to enable the Screen Saver seconds:
> 900
>
>
> This policy works (much to the chagrin of most of our employees).
>
> - I have a second policy that I'm using to "turn off" the screensaver
> policy
> via loopback processing. As I am testing, I'm not disabling the
> screensaver,
> but rather specifing a different one so that the changes are apparent.
> Once
> I get it working properly, I'll change it so that the screensaver is
> disabled. The policy is applied to my computer (not a group, but when I
> get
> it working I'll apply it to a group of computers we want to disable the
> screensaver). Here are the settings for that policy:
>
>
> Computer Configuration (Enabled)
>
> Administrative Templates
> System/Group Policyhide
> Policy Setting
> User Group Policy loopback processing mode Enabled
> Mode: Merge
>
> User Configuration (Enabled)
> Administrative Templates
> Control Panel/Display
> Policy Setting
> Password protect the screen saver Disabled
> Screen Saver Enabled
> Screen Saver executable name Enabled
> Screen Saver executable name ssstars.scr
>
> Policy Setting
> Screen Saver timeout Disabled
>
>
> When I use the modeling wizard, using my AD username, my computername, and
> enabling loopback processing, the simulation reports that both policies
> are
> being applied. However, when I log into my computer (using my AD
> username)
> the "turn off" policy is not overriding the "turn on" policy (i.e. I don't
> get the stars screensaver). If I change the security filtering to my AD
> username (rather than my computername), I get the stars screensaver. But,
> of
> course, this is not what I need to happen.
>
> From what I've read from Microsoft and the various forums on the net, the
> loopback processing should be pretty straightforward. I have no idea what
> I'm missing here. I've had one of our other IT network people work with
> me
> on this and neither of us see what we are doing wrong.
>
> Any help would be most appreciated.
>
> Thanks in advance
> Chuck
>

ToChuck123

Hi Paul.
I tried what you suggested but that doesn't work at all. It sounded like a
good idea, but I still get the screensaver policy being applied. Just to
make sure I'm doing what you suggested, here is what I did.

I have my computer in a securty group (this is the one that I DON'T want to
have the screensaver on). I went to group policy management and selected the
screensaver policy. I then went to the delegation tab, clicked on the
advanced button, and selected the security group that my computer was in. I
then changed the permissions to deny "read" and deny "apply group policy".

I checked the modeling wizard again, and found and extra bit of info. While
it is true that both policies are being applied, the "remove screensaver"
policy is only partially being applied. By that, I mean it is listed as
being applied under the Computer Configuration section (where the loopback
settings are), and it is saying that it is being denied under the user
configuration section (where all the screensaver settings are). This is true
BOTH with the changes you suggested and without (I took out the deny
permissions and reran the query to see if there were changes).

It appears as though if you have a policy filtered by a computer group then
it ignores any of the user settings.

Chuck Wilson

Paul Bergson [MVP-DS]

If you disabled the old policy w/o first changing it so it wasn't on it
won't change, it will remember the old value.

You will have to fix it to screen saver disabled first.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
news:27295A7E-7E20-4491-8371-A7E28C20C588@microsoft.com...
> Hi Paul.
> I tried what you suggested but that doesn't work at all. It sounded like
> a
> good idea, but I still get the screensaver policy being applied. Just to
> make sure I'm doing what you suggested, here is what I did.
>
> I have my computer in a securty group (this is the one that I DON'T want
> to
> have the screensaver on). I went to group policy management and selected
> the
> screensaver policy. I then went to the delegation tab, clicked on the
> advanced button, and selected the security group that my computer was in.
> I
> then changed the permissions to deny "read" and deny "apply group policy".
>
> I checked the modeling wizard again, and found and extra bit of info.
> While
> it is true that both policies are being applied, the "remove screensaver"
> policy is only partially being applied. By that, I mean it is listed as
> being applied under the Computer Configuration section (where the loopback
> settings are), and it is saying that it is being denied under the user
> configuration section (where all the screensaver settings are). This is
> true
> BOTH with the changes you suggested and without (I took out the deny
> permissions and reran the query to see if there were changes).
>
> It appears as though if you have a policy filtered by a computer group
> then
> it ignores any of the user settings.
>
> Chuck Wilson
>
>
>

ToChuck123

> If you disabled the old policy w/o first changing it so it wasn't on it
> won't change, it will remember the old value.


Could you please explain what you mean by that? I have no idea what you are
talking about.
--
Chuck Wilson

Paul Bergson [MVP-DS]

The policy is currently set to be that the screen saver is on. You need to
turn the screen saver off now since it is turned on. Is this available once
you have disabled your policy? It should be,

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
newsA9CA617-22F0-4FD0-8AA8-D25B0146C5DE@microsoft.com...
>> If you disabled the old policy w/o first changing it so it wasn't on it
>> won't change, it will remember the old value.
>
>
> Could you please explain what you mean by that? I have no idea what you
> are
> talking about.
> --
> Chuck Wilson
>
>
>

ToChuck123

The policy is currently set to run the screensaver after 15 min. Yes.
It is essentally applied to everyone in our active directory. Yes.
It is denied "read" and "apply group policy" to the computer I am using.
When I logon to said computer, it still does the screen saver.
--
Chuck Wilson


"Paul Bergson [MVP-DS]" wrote:

> The policy is currently set to be that the screen saver is on. You need to
> turn the screen saver off now since it is turned on. Is this available once
> you have disabled your policy? It should be,
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
> newsA9CA617-22F0-4FD0-8AA8-D25B0146C5DE@microsoft.com...
> >> If you disabled the old policy w/o first changing it so it wasn't on it
> >> won't change, it will remember the old value.
> >
> >
> > Could you please explain what you mean by that? I have no idea what you
> > are
> > talking about.
> > --
> > Chuck Wilson
> >
> >
> >
>
>
>

Paul Bergson [MVP-DS]

Create a separate policy and elevate it as outlined in the link I sent you
and only read and apply for those that you want it set to and this should
reset it for you.

Make sure you gpupdate /force or reboot

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
news:222D7BE4-78C3-4863-B149-92BF789CCC6C@microsoft.com...
> The policy is currently set to run the screensaver after 15 min. Yes.
> It is essentally applied to everyone in our active directory. Yes.
> It is denied "read" and "apply group policy" to the computer I am using.
> When I logon to said computer, it still does the screen saver.
> --
> Chuck Wilson
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> The policy is currently set to be that the screen saver is on. You need
>> to
>> turn the screen saver off now since it is turned on. Is this available
>> once
>> you have disabled your policy? It should be,
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
>> newsA9CA617-22F0-4FD0-8AA8-D25B0146C5DE@microsoft.com...
>> >> If you disabled the old policy w/o first changing it so it wasn't on
>> >> it
>> >> won't change, it will remember the old value.
>> >
>> >
>> > Could you please explain what you mean by that? I have no idea what
>> > you
>> > are
>> > talking about.
>> > --
>> > Chuck Wilson
>> >
>> >
>> >
>>
>>
>>

ToChuck123

Hi Paul.
I appreciate you are trying to help, but your responses are not really
detailed enough to be helpful for me. I link you sent me describe the
ordering of policies from various sorces (local, group, etc), but doesn't
really say how.

I tried making a new policy so I could test things and made a new account so
I could eliminate other policies that may be running and interferring with
what I'm doing. Under this situation, the only policy that is run is the
default group policy.

I made this policy with a blank screensaver, and set it to be filtered by my
test account. So far so good.

I then went to the delegation tab and set that policy so that the computer
I'm using is denied "Read" and "Apply Group Policy".

When I run the Modeling Wizard, I find that the screensaver policy is being
applied on the User Settings level, and denied on the Computer Settings level.

And it doesn't work. And yes, I always use the gpupdate /force when I make
changes to the group policy.
--
Chuck Wilson


"Paul Bergson [MVP-DS]" wrote:

> Create a separate policy and elevate it as outlined in the link I sent you
> and only read and apply for those that you want it set to and this should
> reset it for you.
>
> Make sure you gpupdate /force or reboot
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
> news:222D7BE4-78C3-4863-B149-92BF789CCC6C@microsoft.com...
> > The policy is currently set to run the screensaver after 15 min. Yes.
> > It is essentally applied to everyone in our active directory. Yes.
> > It is denied "read" and "apply group policy" to the computer I am using.
> > When I logon to said computer, it still does the screen saver.
> > --
> > Chuck Wilson
> >
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> The policy is currently set to be that the screen saver is on. You need
> >> to
> >> turn the screen saver off now since it is turned on. Is this available
> >> once
> >> you have disabled your policy? It should be,
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCT, MCSE, MCSA, Security+, BS CSci
> >> 2003, 2000 (Early Achiever), NT
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
> >> newsA9CA617-22F0-4FD0-8AA8-D25B0146C5DE@microsoft.com...
> >> >> If you disabled the old policy w/o first changing it so it wasn't on
> >> >> it
> >> >> won't change, it will remember the old value.
> >> >
> >> >
> >> > Could you please explain what you mean by that? I have no idea what
> >> > you
> >> > are
> >> > talking about.
> >> > --
> >> > Chuck Wilson
> >> >
> >> >
> >> >
> >>
> >>
> >>
>
>
>

Paul Bergson [MVP-DS]

You have applied a policy to a bunch of machines that you don't want this to
occur on, so you need to modify these machines back to the way they
previously were. So you should recreate the policy for all users that
disables the screensaver. Once this policy has been applied, then go back
and redefine the screensaver policy the way you want it to be but DENY (Read
and Apply) to the group of machines (Loopback Policy) that you don't want
the policy to be applied to. Now the lab machines will retain the no
screensaver policy but everyone else should get the screensaver policy

If this is still confusing I would also search on the internet for
information on this subject. There are plenty of resources that can guide
you through this.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
news:905FBBFA-D346-4256-BDD9-6F229EC6E026@microsoft.com...
> Hi Paul.
> I appreciate you are trying to help, but your responses are not really
> detailed enough to be helpful for me. I link you sent me describe the
> ordering of policies from various sorces (local, group, etc), but doesn't
> really say how.
>
> I tried making a new policy so I could test things and made a new account
> so
> I could eliminate other policies that may be running and interferring with
> what I'm doing. Under this situation, the only policy that is run is the
> default group policy.
>
> I made this policy with a blank screensaver, and set it to be filtered by
> my
> test account. So far so good.
>
> I then went to the delegation tab and set that policy so that the computer
> I'm using is denied "Read" and "Apply Group Policy".
>
> When I run the Modeling Wizard, I find that the screensaver policy is
> being
> applied on the User Settings level, and denied on the Computer Settings
> level.
>
> And it doesn't work. And yes, I always use the gpupdate /force when I
> make
> changes to the group policy.
> --
> Chuck Wilson
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Create a separate policy and elevate it as outlined in the link I sent
>> you
>> and only read and apply for those that you want it set to and this should
>> reset it for you.
>>
>> Make sure you gpupdate /force or reboot
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
>> news:222D7BE4-78C3-4863-B149-92BF789CCC6C@microsoft.com...
>> > The policy is currently set to run the screensaver after 15 min. Yes.
>> > It is essentally applied to everyone in our active directory. Yes.
>> > It is denied "read" and "apply group policy" to the computer I am
>> > using.
>> > When I logon to said computer, it still does the screen saver.
>> > --
>> > Chuck Wilson
>> >
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> The policy is currently set to be that the screen saver is on. You
>> >> need
>> >> to
>> >> turn the screen saver off now since it is turned on. Is this
>> >> available
>> >> once
>> >> you have disabled your policy? It should be,
>> >>
>> >> --
>> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCT, MCSE, MCSA, Security+, BS CSci
>> >> 2003, 2000 (Early Achiever), NT
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >> "ToChuck123" <ToChuck123@discussions.microsoft.com> wrote in message
>> >> newsA9CA617-22F0-4FD0-8AA8-D25B0146C5DE@microsoft.com...
>> >> >> If you disabled the old policy w/o first changing it so it wasn't
>> >> >> on
>> >> >> it
>> >> >> won't change, it will remember the old value.
>> >> >
>> >> >
>> >> > Could you please explain what you mean by that? I have no idea what
>> >> > you
>> >> > are
>> >> > talking about.
>> >> > --
>> >> > Chuck Wilson
>> >> >
>> >> >
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>