Best way to exempt a group from a portion of domain policy

By TLM1974 ·
I have a Windows Server 2003 network. Our main groups of users are Students and Faculty/Staff.

Our domain policy is very minimally customized, but we do have some specifics such as enforcing a password protected screen saver, and only the Faculty/Staff groups have a shutdown button. We also enforce password security.

I am trying to figure out the best way to exempt a group of computers from the password protected screen saver timeout. These are 2 specific labs that use Court Reporting equipment that does not generate a signal to the computer that it is in use. So, the screensaver will come on, messing up their timed tests.

I have already created a group that contains the computers in the two labs. I know I can exempt the group from the ENTIRE domain policy, but I only want to exempt them from the Screen Saver portion. I can't find a way to target the computer group for just that portion of the policy.

I could create a second domain policy, under the main domain policy, configuring it exactly the same except for the screen saver, then exempt the main policy for that group and apply the second policy. Is this the way to go? I don't want to make this complicated.

I could also create another OU for these computers and apply a second policy to them.

What's the ideal way to do this?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Just did the same thing

by shasca In reply to Best way to exempt a grou ...

We are rolling out Vista at the present time.(Don't ask) We are also going to lock all these down with a new GPO.

We have the need to install and configure these devices and then deliver and have the users log in and do what customization they want. Install personal Printers, GPS software, Palms etc.

We created an OU with no restrictions. We put these devices in this OU deliver them to the user, let them do their thing and then we move the devices to the OU "Computers" with the applied Policies which in turn locks them down. Works great. I would recommend a seperate OU for your environment.

Collapse -

New OU

by IC-IT In reply to Best way to exempt a grou ...

Also it is not recommended to use the Default Domain GPO to add changes.
I would delete that (Screensaver) portion out of whichever GPO it is currently in. Create a new GPO with just that policy.
Create the OU for the Lab computers and block only the new GPO.

Related Discussions

Related Forums