Re: GPO to Lock workstations

From: Bruce Sanderson (bsanders_at_junk.junk)
Date: 08/29/04 

Date: Sat, 28 Aug 2004 18:09:58 -0700

Are you saying that the setting (in a GPO):

Administrative Templates
  Control Panel
    Display
     Screen Saver timeout: xx seconds

doesn't do what it says it will do?

The combination of this one plus
   Hide Screen Saver tab: Enabled
   Screen Saver: Enabled
   Screen Saver Executable name: Enabled - scrnsave.scr
   Password protect the screen saver: Enabled

seems to be forcing the computer to lock after xx seconds and require the
user to re-authenticate for us. 

-- 
Bruce Sanderson  MVP
It is perfectly useless to know the right answer to the wrong question.
"Oli Restorick [MVP]" <oli@mvps.org> wrote in message 
news:%23Y97ItOjEHA.140@TK2MSFTNGP12.phx.gbl...
> You need to configure the screensaver to secure (lock) the workstation. 
> This can be done with group policy.  However, it's a user policy, not a 
> computer policy.  If you want to do this for a set of computers, configure 
> a GPO on the OU containing the machines and use a loopback processing to 
> configure user settings.
>
> Unfortunately, what group policy doesn't allow you to do is to ensure the 
> user has a sensible timeout set on the screensaver.
>
> The timeout is stored in the "ScreenSaveTimeOut" value in the following 
> registry key:
> HKEY_CURRENT_USER\Control Panel\Desktop
>
> The unit is seconds.  You should be able to script this either by 
> exporting the registry key to a text file and removing the unnecessary 
> lines.  Then run it using "regedit.exe /s myfile.reg".
>
> Ideally, you want to be able to specify a maximum value, so that if the 
> user opts for a shorter timeout than the one you specify, they can, but if 
> they specify a longer timeout, it'll be reset each time they log in.  Ask 
> in one of the scripting groups if you need a hand with this.
>
> Regards
>
> Oli
>
>
>
> "Jason" <Jason@discussions.microsoft.com> wrote in message 
> news:5FF65E0E-14BF-4102-91BB-EA4D8974F791@microsoft.com...
>> Is there a GPO out to there to just lock a computer after a certain 
>> amount of
>> minutes of inactivity?  I know there is one to logoff the account, I 
>> could
>> not find one for just locking the workstation.  Thanks in advance.
>>
>> Jason
>
>

Relevant Pages

  • Re: policy editor help lease
    ... Create a new GPO. ... Edit the GPO so that the screen saver options are set. ... The policy should then apply after the next Group Policy update. ... > If a NON admin can change screen saver I don't know how to help you. ...
    (microsoft.public.windows.server.sbs)
  • Re: How not to apply
    ... You can configure filtering of Group Policy using either OUs or security ... you can create a second GPO that only ... > Screen saver is activated via GPA at the domain level. ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO to Lock workstations
    ... > Are you saying that the setting (in a GPO): ... > Hide Screen Saver tab: ... >> This can be done with group policy. ... >> user has a sensible timeout set on the screensaver. ...
    (microsoft.public.win2000.group_policy)
  • RE: Screensaver policy on some PCs
    ... Simply speaking, you should link the GPO to an OU, and PUT ALL YOUR USER ... > Hide Screen Saver tab = Enabled ... > Security on the policy only has a Universal Security Group which each ... > propogated by now (we have the default group policy refresh time set). ...
    (microsoft.public.win2000.group_policy)
  • Re: TS 2003 client timeout value.
    ... Sounds like a password protected screen saver is running on the ... Terminal server for the users. ... You can disable it in a Group Policy. ... "Screen saver timeout" ...
    (microsoft.public.windows.terminal_services)