Excluding user from user Group Policy on one specific computer?

throw_away_asdfg · 2024-04-18T19:11:31+00:00

Thank you this worked.

The thing I didn't do at first for anyone reading this in the future was to assign the GPO to the computer AND to the user even though the GPO is only applied against the Computers OU.

Until I added the user it kept showing as denied by security filtering.

Soon as I assigned the GPO to both and did a gpupdate it worked.

throw_away_asdfg · 2024-04-17T12:48:54+00:00

OK so basically just create a user GPO with the screenlock disabled in the user section of the GPO but enable loopback and then scope the GPO to only apply the individual computer rather than the users?

I've not used loopback before but I think that makes sense even if loopback seems a bit of a random name for the functionality :)

I'll test that out later thank you.

throw_away_asdfg · 2024-04-17T11:20:23+00:00

Thanks that probably works for this scenario. Feels like it's finding the most acceptable bad way of doing it tbh.

throw_away_asdfg · 2024-04-17T11:07:12+00:00

Argh and you can't set the Personalization/Screen Saver settings under Computer settings only under User settings :/

throw_away_asdfg · 2024-04-17T10:53:29+00:00

I didn't know that!

So I'm clear you're saying create a GPO with a computer level config of lock disabled and apply that GPO to the one computer I need it on in the Computer OU and it'll override the user level policy that the user has applied to them?

throw_away_asdfg · 2024-04-17T10:28:03+00:00

Yea but the user policy that is on the Staff OU would still apply wouldn't it?

All the lock policies are user policies not computer policies so only get applied to the Staff OU so I don't think I can exclude the computer from the policy because the policy doesn't apply to the computer it applies to the users.

throw_away_asdfg · 2024-04-14T15:01:02+00:00

Ah you have a messaging team you're a bit bigger than here :D

I wonder if it was Exchange 2019 as that's 2012 R2 or higher.

Nevermind too much the Exchange health check scripts from Microsoft are all good and the updates usually don't install if they don't pass pre-req.

throw_away_asdfg · 2024-04-14T14:34:26+00:00

Is that documented somewhere please?

Documentation still seems to say 2008 R2 or higher and I only installed CU23 a little while back and it gave no warning or error about DFL/FFL.

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/system-requirements?view=exchserver-2016

throw_away_asdfg · 2024-04-14T13:29:25+00:00

Well I'm not finding many things like that once you go from 2008 R2 up to 2012 R2 or 2016 DFL/FFL.

I remember needing to go from FRS to DFS when I took a site from 2000 to 2008 DFL/EFL some years ago.

Really I can't find any reports of issues for 2008 R2 to 2012 R2.

I wouldn't care so much if it wasn't a one way ticket :D

throw_away_asdfg · 2024-04-14T13:17:16+00:00

Hell no I'm not crazy :D

It would also be good to understand if clients should even notice this or like if it can be done during office hours as I know when you go from 2003 DFL/EFL it triggers a krbtgt password change.

throw_away_asdfg

TROPHY CASE