2

We have two screen lock policies in the domain controllers GPO editor.

1 applies to 'authenticated users' so it will affect all users on the domain, as intended. It is not enforced. It sets the screen lock to 15 minutes. All working fine.

2 applies to specific users, i'e the sales team, via security filtering. They want a longer time before the screen locks. So the second policy sets the lock to 30 minutes. This is enforced, so it will override policy 1 for the users in security filtering.

Now this as working perfectly fine on Windows 7 pc's. 100% as intended.

However, on windows 10, policy 1 is applying but policy 2 is not overriding, despite being enforced. Upon checking GPresult, it is actually applying.. which is confusing

I have ruled out incompatible ADMX items as both policies are using the same settings and policies, the ONLY differences are the length of time and the fact that policy 2 is enforced.

I was hoping that someone would be able to advise. And no, unfortunately having one policy set to 30 minutes for everyone is not acceptable to my boss.

EDIT

I am using the latest windows 10 admx templates, yes and i forgot to mention that both of these policies are linked at the Domain level.

Jarad Ducroq
  • 131

1 Answers1

1

Did you download the latest ADMX for Windows 10 on your domain server?

Also, Please know that a GPO upstream (one linked to a higher OU or the domain) that is enforced can cause you problems. If the Default Domain Policy was enforced, every setting in it would apply to every object in the domain. This is because it is linked at the Domain level (remember LSDOU?) It does not matter if another GPO is linked an OU and is enforced. With enforcement, the highest GPO wins.

http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx

Would you please try to create new OU for the ones who use the second GP?

https://technet.microsoft.com/en-sg/library/cc785665(v=ws.10).aspx

Kattee Lee
  • 657