Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, October 2, 2019 2:13 PM
Hello community,
I'm an IT Admin at a company, however I have limited access over the deployment and configuration of GPOs at the highest level. I was wondering if anyone can help me in overriding some company group policies.
First off I've been looking online and could find a few ideas, but with no detailed description on how to implement or automate them.
The problem is we have a screen saver that I think was added on the backend on the Domain Computers gpo, because I have removed the GPO "enforce company screen saver" from the Members list on specific computers and it didn't do anything. The screen saver still shows up after a couple minutes of inactivity.
Also when I try to open it through the traditional way (right click on desktop + Personalization) the screen saver option is missing. If I search "Screen saver" in the Find a setting box it will open up the Screen Saver Settings box but the Screen saver part (where you can choose which screen saver runs and after how many minutes of inactivity) is greyed out.
Secondly I've tried editing the following settings through gpedit.msc: User Configuration > Administrative Templates > Control Panel > Personalization:
Enable screen saver - switched to Disabled
Prevent changing screen saver - switched to Disabled
Screen saver timeout - switched to Enabled and set to 86400 seconds (24hours)
Force a specific screen saver - switched to Disabled
The other thing I have tried was to edit settings through regedit as an admin account and created the following:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
-Added new DWORD named NoDispScrSavPage and set the value to 0
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System:
-Changed the value of the DWORD named NoDispScrSavPage from 1 to 0
-Added new DWORD name NoDispCPL and set the value to 0
The screen saver still shows up after ~5 minutes of inactivity which is annoying cause I can't look away from the monitor because then I have to sign into the account again, every time.
The request is, as I've seen some suggestions online, to create a batch file that overrides the gpos and changes these settings to disable the screen saver for good and for it to run (through task scheduler maybe?) right after the login and right after the Group Policy client finishes applying the policy.
However the questions are:
After you make any changes in gpedit.msc shouldn't you use gpupdate/force for them to apply?
If yes, then you will get back the settings that are pushed through company GPOs, right?
How could this be implemented to bypass or override the company's GPOs and also apply them without having to push the changes through gpupdate/force so you can actually keep the settings without the ones configured at the organization level to come back and override your changes?
Thank you in advance for helping. :)
All replies (5)
Thursday, October 3, 2019 5:10 AM ✅Answered
Hi,
Based on my experience, what you experienced is an expected behavior.
For GPO applied order:【 local, site, domain , OU,】 in other words, the priority order is: 【OU, domain , site, local】.
So in your situation , if you do some different configuration on the gpo based on the OU , it will overwrite the domain level policy. Also, If you don't want to apply the policy from the domain level , there is also an option [block the inheritance ].
But if the gpo on the domain level for screen saver was [enforced] , it will apply anyway, and it will not be overwritten or blocked. If there are conflicts to the domain level policy (enforced) , the domain level policy will win. And it is not recommend to overwrite the policy through a script ,based on the security reason and the not necessary problems in the future .
You can check that if the domain level for screen saver is enforced .As the following screenshot :
If i misunderstand you ,please let me know.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, October 3, 2019 10:54 AM
Hello Fan,
Thank you for jumping in to help.
You understood correctly, however I don't think I could break the inheritance or even change any settings on that GPO because it's managed at a higher level and I don't have access, that's why I wanted to implement a local solution, if possible of course.
As far as I can see the policy is not Enforced, but if you say it's an expected behavior, then it means that no matter how much I try to change the settings as soon as the next login/restart occurs it will push the GPOs again to be applied to the Computer, just because it's part of the OU that inherits permissions from some Parent (I have no clue which one, but I'm pretty sure I can't modify that anyway).
If you have any other ideas for bypassing that would be great, however if it just can't be done I'll take that as an answer too. It was worth a shot.
Have a look at the configuration below:
Friday, October 4, 2019 1:19 AM
Hi,
As you domain level based policy was not enforced, i think we can change the policy based on OU level .
I don't know do you have permission do create new GPO on the OU level. If not, i think contact the administrator is the best way.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Monday, October 21, 2019 10:30 AM
Hi,
Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
William
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, November 14, 2019 11:37 AM
Hi,
I'm really sorry I've had some time away and could not answer you.
I have checked and currently don't have permissions in the infrastructure to create/modify GPOs.
The answer you gave me in the beginning was very good.
Thank you for all the time you put into helping me.
Have an awesome day,
Iosif