"Enforced" a. k. a. "No Override" takes precedence over "Block Policy Inheritance", see for example
http://www.windowsitpro.com/Article/ArticleID/15420/15420.html So the "Enforced" 120 minute overrides the lower 3 minute setting even with "Block Policy Inheritance" set. This is true in Windows 2000 and Windows 2003. -- Michael C. Bazarewsky -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 31, 2005 9:26 AM To: [email protected] Subject: [ActiveDir] GPO oddity We have a Default Domain level GPO that is set to "Enforced". In this GPO, we set a 120 minute screensaver timeout that locks the screensaver after 120 minutes. In a GPO at a lower OU level, we have an OU that has "Block Policy Inheritence" turned on, and a GPO is linked to that OU that sets the screensaver timeout to 3 minutes. For some reason, the users in that OU are getting the default domain GPO timeout of 120 minutes rather than the 3 minute screensaver timeout. I assume if we turn off "Enforced" on the default domain GPO, anyone that belongs to a Block Policy Inheritence OU will get their lower level GPO applied rather than the default domain GPO? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
smime.p7s
Description: S/MIME cryptographic signature
