Automatically locking desktop after a certain period of time

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We are in an educational setting. Staff members periodically forget to lock
their computers when they leave their classroom or office. We are on active
directory and each staff member is a regular user. Is there any way to have
the computer automatically lock after a certain amount of time (like some
programs do)?
 
Since you're on Active Directory, force the use of a screen saver and a timeout and password requirement via Group Policies. These settings are in User Configuration, Administrative Templates, Control Panel, Display.
 
Since you're on Active Directory, force the use of a screen saver and a
timeout and password requirement via Group Policies. These settings are in
User Configuration, Administrative Templates, Control Panel, Display.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

sfurney said:
We are in an educational setting. Staff members periodically forget to
lock
their computers when they leave their classroom or office. We are on
active
directory and each staff member is a regular user. Is there any way to
have
the computer automatically lock after a certain amount of time (like some
programs do)?
Click to expand...


If the user renames the .scr file, and since it appears the local .scr file
gets used, wouldn't that obviate the screen saver from getting used? It
might, however, still force a Windows lockout (i.e., Ctrl-Alt-Del window
appears). The policy should still push the option to password protect on
triggering the screen saver. Although the screen saver can't run, the
Windows logon screen should still show up.
 
The user shouldn't have write permissions to the Windows\System32 folder, so they shouldn't be able to rename the SCR file. If you're allowing them to run as Administrators, then they'll be able to.
 
The user shouldn't have write permissions to the Windows\System32 folder, so
they shouldn't be able to rename the SCR file. If you're allowing them to
run as Administrators, then they'll be able to.

Vanguard (NPI) said:
Since you're on Active Directory, force the use of a screen saver and a
timeout and password requirement via Group Policies. These settings are
in
User Configuration, Administrative Templates, Control Panel, Display.



If the user renames the .scr file, and since it appears the local .scr
file
gets used, wouldn't that obviate the screen saver from getting used? It
might, however, still force a Windows lockout (i.e., Ctrl-Alt-Del window
appears). The policy should still push the option to password protect on
triggering the screen saver. Although the screen saver can't run, the
Windows logon screen should still show up.
Click to expand...


True, and they cannot use .reg files to update the registry, either, unless
they are admin users. However, "Staff members" gives absolutely no clue as
to which group those users belong or their permissions.

There isn't even mention if the users are logging in under a domain where
you could push policies (and which, by the way, only get pushed when they
login and can be overridden during that Windows session, like using "regedit
/s <.reg_file>" in the Startup group to undo those one-time pushed policy
settings). So if they are on a domain, they can still override policies.
If not on a domain, they can override local policies or registry edits by
the admin. However, both scenarios do require the user have admin rights to
change the registry. I assumed "Staff members" were more likely to have
admin rights than, say, tutors, students, or other non-staff users.

If you have admin rights, you can use a .reg file to change registry
settings which even specify which .scr file to load, and you could specify a
bogus filename rather than having to rename the .scr file itself. Because I
have admin rights to my host under the domain login, I can override the
15-minute policy setting which attempts to use logon.scr to lockup my host.
I have several hosts in my cubicle and cannot have them locked up because
that prevents me from seeing critical e-mail alerts and the status of
currently running jobs. But it did require getting admin rights to my host
under my domain login.
 
You can even prevent an administrator level user from modifying the Registry. If you use Group Policies to block Regedit, you can't import a REG file. With Regedit anyway. I don't know if the command line version, REG, observes this policy, or not. If not, you could also enforce the policy to disallow REG.EXE to run. And last, but not least, remove Administrators permssions from the Registry keys in question, and only allow System and Administrator write access.
 
Back
Top