7

I've created a loopback GPO that has several settings (both computer and user) including a Custom User Interface (Access 2007 Application) and Power Management (has the computer sleep after being idle for 2 min). I'm also filtering so that this policy does not apply to "Admins" - only to "Users". The problem I'm having is when the "Users" login the Power Management settings don’t work, but they do for "Admins". For testing I'm allowing the "Users" to launch Task Manager and use the Run line, so I'll run Explorer and look at Power Management and it shows the settings from my GPO. So I created a test OU with copies of the aforementioned GPO, but removed the Custom User Interface and found the Power Management settings do work for both the "Users" and "Admins". When I add the Custom UI the Power Management settings break for the "User" but continue to work for "Admins". Do the Power Management options need to have User Interface be "Explorer.exe"? Is this a bug or am I doing this the wrong way? BTW the tablets are using Vista SP2.

Any insight or advice would be greatly appreciated.

Thanks, Matt

  • 1
    This is not an answer to your question, but a question to you: How are you going to patch your systems when they are asleep? – Joseph Kern Jun 15 '09 at 18:01
  • It's a small group of tablets that will be out in the field collecting data (with no network access) for 1-3 weeks. When they come back data will be retrieved and systems updated. Thanks for your interest in the post! –  Jun 15 '09 at 19:17
  • Are you certain that the policies were applying in the same manner in your 'Test' OU versus the original location? Power management policy is handled by a group policy extension (and thus the group policy service) and doesn't need Explorer.EXE to be running. – Evan Anderson Jun 15 '09 at 19:18
  • I Just did a side by side comparision and found the Group Policy Inheritence was different. I changed the test OU to mirror the original OU, gpupdate /force and rebooted - same results :( I'm thinking of making a dedicated Power Management GPO and set it as enforced and see what that does. Thanks –  Jun 15 '09 at 20:49

2 Answers2

1

As you mention it working in a different OU created for the tests, I'll ask a really stupid question -

You haven't got permissions set wrongly on the GPO object have you? IIRC to apply it you need the apply and the read permission.

It feels like a lame thing to ask, but it does seem like you're locking stuff down heavily and its easy to go one step too far with that, goodness knows I've done stuff like that before now.

Rob Moir
  • 31,884
  • 6
  • 58
  • 89
  • Sorry, I wasnt clear with the results of my test OU. It does work, but only if the custom UI is removed. When I add the custom UI back in, it breaks for USERS and continues to work for ADMINS. I did double check permissions and they are correct too. I've had to remind myself a couple times, that the power managment falls under COMPUTER group policy not USER and I'm not filtering on any computers, only the Authenticated Users group. Thanks. –  Jun 15 '09 at 20:46
0

Have a look in the resulting set of policy in mmc and se if you get the correct policys applied.

run -> mmc -> Add remove snapin -> Resultant Set of Policy -> OK -> rightklick and run for current user/computer.

Hope it helps.

MrTimpi
  • 445
  • 4
  • 11
  • 1
    An update on this. I found that vista totally ignored any power managment setting when the Access application replaced explorer.exe as the shell. So we decided to use the power button since it did work to put the device in and out of sleep. Thanks for all the input. -Mat –  Jun 30 '09 at 19:22