I'm trying to figure out how to handle exclusion requests for the corporate screen lock policy. Some customers want certain users and computers to be exempt from this policy, but I'm running into issues. When I set the policy based on users, it's hard to exclude specific computers, and if I set it based on computers, it's tough to exclude users. How are others managing this? Please don't tell me you never exclude anyone!
5 Answers
For managing this, we've successfully used security group filtering instead of jumping between user and computer GPOs. It allows for including all users while excluding specific groups when necessary. It’s a little clunky, but it’s proven to be the least painful method for handling these edge cases.
You might want to consider using a loopback GPO for this. It allows you to apply a user policy that disables the lock screen for all users on specific machines. Just keep in mind it can get a bit messy, and you need to remember you've set it up like that.
Yeah, that sounds like the way to go for sure!
Alternatively, you could avoid the loopback by creating specific computer groups. We did something similar and excluded certain machines by placing them in a dedicated security group, which worked well.
I'm intrigued but I'm not sure I'm catching the full picture of your issue. Are you aiming to exclude specific user accounts from the overall GPOs?
Yes! Right now, the screen lock applies to all users through a user-based GPO, and we occasionally receive requests to exclude certain users or computers. Users are easier to manage, but excluding computers tied to any user has me puzzled.
Honestly, I can't see why they're asking for this setup unless there's some office politics at play. But honestly, I guess there could be valid reasons. For instance, some jobs require constant monitoring and they need to avoid being interrupted by a lock screen every few minutes.
I can definitely think of some logical reasons. Like, if someone is monitoring security systems, they shouldn't have to deal with lock screens after a few minutes.
I had the same thought! But there are practical reasons behind these requests, like specific work duties requiring constant attention.
I handle this setup in the hospitals I work for, especially with our autologon systems. We have one computer group and two policies – one for filtering display sleep settings and the other for managing screensaver and lock preferences. This setups ensures that all users on those machines follow the established settings without any hassle.
Keep in mind that the 'enforced' setting in GPO can get tricky. It's meant to override inheritance, but overusing it can lead to complications down the line.
Yeah, 'enforced' can be a slippery slope! Always better to keep it simple and clear in your GPO arrangement.
Sounds like a solid approach and maybe the best balance between flexibility and control!