Re: Automated logoff using Winexit.scr

I believe you should be able to do it via Group Policy/computer
configuration/security settings/registry. Try setting up a test OU with a
test GPO linked to it trying to accomplish that and move a couple computers
into that OU to see if it works as expected after the GP settings apply to
the computers. Keep in mind that when you change registry permissions via GP
that removing the GP will not cause the registry permissions to change back
to what they were. Also best practice is to not configure file system and
registry settings at the domain level but instead do via an OU.

Steve


"saxophobe" <saxophobe@xxxxxxxxx> wrote in message
news:1156969284.622318.277890@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Steve,

Thanks for the reply!

Actually, I've been trying to use RegDACL, but can't figure out how I
can call the executable from a script. We have about 10 DC's in our
domain, do I have to install RegDACL on ALL of them to get this to
work?

I can use RegDACL to change the security of the reg key locally, no
problem. The instructions seem to be lacking on how to make the call
from within a GPO Logon script.

If you have any ideas, please let me know.

Thanks!

sax

Steven L Umbach wrote:
The info in the link below should help.

Steve

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=1179

If a non-administrative user attemps to use the WinExit screen saver,
they
receive:


Error encountered while creating registry key. Make sure you have set
values
and create subkey permissions.To allow then to use the screen saver,
use
regedt32 to navigate to:
HKEY_Local_Machine\Software\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Control.ini

Use Security / Permissions to click on Everyone and select Special Access
in
the Type of Access drop-down list box. Check Set Value and Create Subkey
and
click OK and OK.

You can use RegDACL to set these permissions in batch.


"saxophobe" <saxophobe@xxxxxxxxx> wrote in message
news:1156953294.383047.10510@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok all. I have made progress, but still don't have the desired
finished result.

Instead of deploying, which I couldn't get working using a simple .bat
file, I was able to point the Usr Config\Adm Templ\Control
Pnl\Display\Screen Saver executable name to the file on a share and it
works!

Now the only problem is when users time out after inactivity, they get
an error regarding permissions for the following reg key:

HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\control.ini

Even though I add Authenticated users with the correct Special
permissions, export the .reg file to the share and have altered my .bat
file to the following single command:

Regedit.exe /s "\\server\share\file.reg"

The requisite permissions are not applying, and the user still gets the
error.

Does anyone have any ideas?

Please help if you can.

Thanks!

sax

saxophobe wrote:
Good Evening all,

I am trying to implement and automated logoff for all computers that
are not servers in our domain. I have tried creating a group policy
and linking it to a new OU called Desktops, but the policy doesn't
apply for some reason. To accomplish this I did the following:

1. Created a .bat file to download the winexit.scr screensaver file to
the C:\Windows\system32 dir from a share on the server
2. Created a custom Administrative Template to enable the settings for
the winexit.scr found here:
http://blog.case.edu/djc6/2005/03/09/automatically_log_off_users
3. Set all the settings to control the Screen Saver in the new policy,
including the ones in User Config > Administrative Templates > Control
Panel > Display

Now, I want to apply this to all desktops and laptops, even remote
ones, and not servers, but my settings don't seem to be applying, and
the .scr file is not being copied from the server, which has to happen
before some of the settings will take effect.

I have checked everything I can think of to get this to work; when I
run the .bat file on it's own, it works. I have made sure that
Authenticated Users have the Apply Group Policy permission defined.

Does this HAVE to be applied to the Default Domain Policy? If so, how
do I keep it from being applied to the servers? Do I have to apply a
WMI filter?

Any info on this would be appreciated.

Thanks to all that take the time to respond!

sax




.

Relevant Pages

  • Re: Terminal Server GPO Issue
    ... servers that is not in the OU where the GPO is supposed to be applied and I ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... Sharepoint Auth GPO ... Event Log Settings ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local Group Policy versus OU (Time Service)
    ... One way I'd skin this is, if those servers are all over your domain (i.e. ... I very rarely come across a lot of differences in policy btw the PDC role ... because they'll all have identical settings. ... > lot of Group Policy settings differently on your DC's and member servers ...
    (microsoft.public.windows.group_policy)
  • Re: Would like to lockdown public computer
    ... not have access to any shares for share permissions or ntfs permissions. ... Learn to use Group Policy. ... protect the cmos settings as it is easy to reboot a computer from a floppy ... the mandatory profile on the local computer and then have the users account ...
    (microsoft.public.win2000.security)
  • Re: Problems configuring security for services
    ... I would think that the permissions you describe should be fine. ... thought that those permissions on the services in the Group Policy were ... you see what's wrong by looking in the Windows security Event Log. ... > settings to try to reset ...
    (microsoft.public.win2000.security)
  • RE: Several Problems; how to reset security and troubleshoot serve
    ... On the SBS security settings; I accept your response, ... On the Remote Assistance Issue I have check all of the settings as you ... What started me on the path of security problem was I had a simular problem ... Start the Microsoft Management Console Group Policy snap-in. ...
    (microsoft.public.windows.server.sbs)