Re: GPO to Lock workstations

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 08/29/04 

Date: Sun, 29 Aug 2004 12:08:03 +0100

I don't know how I missed that one.

Thanks!

Oli

"Bruce Sanderson" <bsanders@junk.junk> wrote in message
news:eCOLhTWjEHA.3536@TK2MSFTNGP12.phx.gbl...
> Are you saying that the setting (in a GPO):
>
> Administrative Templates
> Control Panel
> Display
> Screen Saver timeout: xx seconds
>
> doesn't do what it says it will do?
>
> The combination of this one plus
> Hide Screen Saver tab: Enabled
> Screen Saver: Enabled
> Screen Saver Executable name: Enabled - scrnsave.scr
> Password protect the screen saver: Enabled
>
> seems to be forcing the computer to lock after xx seconds and require the
> user to re-authenticate for us.
>
> --
> Bruce Sanderson MVP
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
> "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
> news:%23Y97ItOjEHA.140@TK2MSFTNGP12.phx.gbl...
>> You need to configure the screensaver to secure (lock) the workstation.
>> This can be done with group policy. However, it's a user policy, not a
>> computer policy. If you want to do this for a set of computers,
>> configure a GPO on the OU containing the machines and use a loopback
>> processing to configure user settings.
>>
>> Unfortunately, what group policy doesn't allow you to do is to ensure the
>> user has a sensible timeout set on the screensaver.
>>
>> The timeout is stored in the "ScreenSaveTimeOut" value in the following
>> registry key:
>> HKEY_CURRENT_USER\Control Panel\Desktop
>>
>> The unit is seconds. You should be able to script this either by
>> exporting the registry key to a text file and removing the unnecessary
>> lines. Then run it using "regedit.exe /s myfile.reg".
>>
>> Ideally, you want to be able to specify a maximum value, so that if the
>> user opts for a shorter timeout than the one you specify, they can, but
>> if they specify a longer timeout, it'll be reset each time they log in.
>> Ask in one of the scripting groups if you need a hand with this.
>>
>> Regards
>>
>> Oli
>>
>>
>>
>> "Jason" <Jason@discussions.microsoft.com> wrote in message
>> news:5FF65E0E-14BF-4102-91BB-EA4D8974F791@microsoft.com...
>>> Is there a GPO out to there to just lock a computer after a certain
>>> amount of
>>> minutes of inactivity? I know there is one to logoff the account, I
>>> could
>>> not find one for just locking the workstation. Thanks in advance.
>>>
>>> Jason
>>
>>
>
>

Relevant Pages

  • Re: policy editor help lease
    ... Create a new GPO. ... Edit the GPO so that the screen saver options are set. ... The policy should then apply after the next Group Policy update. ... > If a NON admin can change screen saver I don't know how to help you. ...
    (microsoft.public.windows.server.sbs)
  • Re: How not to apply
    ... You can configure filtering of Group Policy using either OUs or security ... you can create a second GPO that only ... > Screen saver is activated via GPA at the domain level. ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO to Lock workstations
    ... Are you saying that the setting (in a GPO): ... Hide Screen Saver tab: Enabled ... > This can be done with group policy. ... > user has a sensible timeout set on the screensaver. ...
    (microsoft.public.win2000.group_policy)
  • RE: Screensaver policy on some PCs
    ... Simply speaking, you should link the GPO to an OU, and PUT ALL YOUR USER ... > Hide Screen Saver tab = Enabled ... > Security on the policy only has a Universal Security Group which each ... > propogated by now (we have the default group policy refresh time set). ...
    (microsoft.public.win2000.group_policy)
  • Re: TS 2003 client timeout value.
    ... Sounds like a password protected screen saver is running on the ... Terminal server for the users. ... You can disable it in a Group Policy. ... "Screen saver timeout" ...
    (microsoft.public.windows.terminal_services)