Our environment consists of a 2003 Active Directory with about 50% split regarding XP and Windows 7 clients. Our security policy states that by default everyone's desktop should lock at 2 hours for the screensaver. For select users, the policy states their Desktops should lock at 15minutes after inactivity.
We have applied the 2 hour policy by creating a GPO and linking it to the Organization OU. This works fine for all clients. Security Filtering has the GPO applying to all Authenticated users.
For the 15min screensaver lock, we have the same GPO and linked it to the domain but this time by Security Filtering we only apply it to a particular security group. This GPO is not working correctly.
We are currently drawing a blank on how to either implement or fix the 15minute GPO for screensaver lock.
Best Answer
Group Policy processing order is as such:
LSDOU = Local, Site, Domain, Organizational Unit
Even with the Security Filtering, the GPO setting in the domain linked GPO is being over-ridden by the GPO linked at the OU. To get around that you could link the 15 minute GPO to the OU with a lower link order or you could set the GPO at the domain level as Enforced.