Dear Jeff,
Thank you for your update.
I would like to provide the following suggestion:
1. Please adjust the script to directly change the following registry
entry:
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
NOTE: The screen saver protection group policy setting changes the
following entry we used before:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control
Panel\Desktop\ScreenSaverIsSecure
2. Each group policy object consists two parts: Computer configuration and
User configuration. Please ensure that you enable the script in User
Configuration/Windows Settings/Scripts (logon/logoff).
3. It is a good idea to remotely check the user's registry through network.
In this way, the CURRENT_USER hive is not available. However, we can check
the entry in the following hive:
<COMPUTER NAME>\HKEY_USERS\<SID>\Control Panel\Desktop\ScreenSaverIsSecure
To get the account's SID, you can use one of the methods below:
3.1) Check the following registry entry to ensure that which hive is for
the problematic user:
<COMPUTER
NAME>\HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\Lo
gon User Name
3.2) Logon as the problem and run a Windows 2000 Resource Kit tool
whoami.exe as follows:
whoami.exe /all
As a result, you will get the SID of the current user account.
Please let me know if anything is unclear. Thanks!
Regards,
Joe Wu
Product Support Services
Microsoft Corporation
Get Secure! -
www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|From: "Jeff Smyrski" <
[email protected]>
|References: <
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
<uybdq#
[email protected]>
<YJ#
[email protected]>
<
[email protected]>
<
[email protected]>
|Subject: Re: Disable Screen Saver Password for Machine
|Date: Thu, 16 Oct 2003 09:47:50 -0400
|Lines: 514
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <uE8kYw#
[email protected]>
|Newsgroups: microsoft.public.win2000.group_policy
|NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com 216.230.225.242
|Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:15227
|X-Tomcat-NG: microsoft.public.win2000.group_policy
|
|Okay here is what I tried...direct me where I might have gone wrong.
|
| I waited for the user to log into the machine, but since the domain
|policy restricts the use of registry edit tools, I attempted the regedit
|remotely, only as you know the CURRENT_USER hive is not available. So I
|looked under Users, then the keys as you defined them, but the
|ScreenSaverIsSecure is not present...should it be?
| I will attempt to go to the machine and use the run as option for
|regedit, but not sure if that will work, it seems that with xp, it creates
|another profile, for the user who is being run as...and does not really
work
|the way the windows 2000 method did.
| Please advise.
|Jeff Smyrski
|
||> Dear Jeff,
|>
|> Thank you for clarifying why you prefer a logon script.
|>
|> I suspect that the setting has been overwritten. Please check the
|following:
|>
|> 1. After the customer logon, please check the following registry entry.
|>
|> HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control
|> Panel\Desktop\ScreenSaverIsSecure
|>
|> 2. If a screen saver password protection is still enabled, please check
|the
|> above registry key again.
|>
|> In the future, we can check which group policies have been applied.
|>
|> By the way, regarding the printer issue, I have encountered an almost
|> identical issue before and I resolved the problem by using a VB script.
In
|> that script, I used the code like the following (this is what I provided
|in
|> my last response):
|>
|> Set WshNetwork = WScript.CreateObject("WScript.Network")
|> PrinterPath = "XXX"
|> WshNetwork.AddWindowsPrinterConnection PrinterPath
|> WshNetwork.SetDefaultPrinter PrinterPath
|>
|> Generally, we use the UNC path to the network printer as the parameter.
|You
|> can find this in the following TechNet/MSDN examples:
|>
|>
|
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptce
n
|> ter/scrguide/sas_prn_avmt.asp
|>
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/h
t
|> ml/wsmthsetdefaultprinter.asp
|>
|> Thanks!
|>
|> Regards,
|> Joe Wu
|> Product Support Services
|> Microsoft Corporation
|>
|> Get Secure! -
www.microsoft.com/security
|>
|> ====================================================
|> When responding to posts, please "Reply to Group" via your newsreader so
|> that others may learn and benefit from your issue.
|> ====================================================
|> This posting is provided "AS IS" with no warranties, and confers no
|rights.
|>
|> --------------------
|> |From: "Jeff Smyrski" <
[email protected]>
|> |References: <
[email protected]>
|> <
[email protected]>
|> <
[email protected]>
|> <
[email protected]>
|> <uybdq#
[email protected]>
|> <YJ#
[email protected]>
|> |Subject: Re: Disable Screen Saver Password for Machine
|> |Date: Wed, 15 Oct 2003 16:53:14 -0400
|> |Lines: 383
|> |X-Priority: 3
|> |X-MSMail-Priority: Normal
|> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |Message-ID: <
[email protected]>
|> |Newsgroups: microsoft.public.win2000.group_policy
|> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|216.230.225.242
|> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
|> |Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.group_policy:15198
|> |X-Tomcat-NG: microsoft.public.win2000.group_policy
|> |
|> |Okay Joe, another snafu as it were.
|> | You saw my script, it must set the registry value, but it seems that
|> the
|> |screen saver is still enabled.
|> |
|> | Perhaps not at first, but it seems that after a while the domain
|policy
|> |and group policys are re-applied wiping out the setting I make, I assume
|> |this would be the case with either this script or a registry batch file
|in
|> |the startup, if the key is changed, somehow over time the policy is
|> |resetting it back.
|> |
|> | Any ideas, how or why this would be happening?
|> |
|> |Jeff Smyrski
|> |
|> ||> |> Dear Jeff,
|> |>
|> |> Thank you for your reply. Yes, I think that this method should also
|work.
|> |> Beside, I would like to provide two suggestions:
|> |>
|> |> 1. The usage of AddWindowsPrinterConnection is not the same in
|different
|> |> operating systems:
|> |>
|> |> Windows NT/2000:
|> |> object.AddWindowsPrinterConnection(
|> |> strPrinterPath
|> |> )
|> |> Windows 9x/Me:
|> |> object.AddWindowsPrinterConnection(
|> |> strPrinterPath,
|> |> strDriverName[,strPort]
|> |> )
|> |>
|> |> Therefore, if the clients are Windows NT or Windows 2000, we can use
|only
|> |> one argument.
|> |>
|> |> 2. SetDefaultPrinter() should use the same argument as
|> |> AddWindowsPrinterConnection().
|> |>
|> |> So we can use the following code for Windows 2000 systems:
|> |>
|> |> Set WshNetwork = WScript.CreateObject("WScript.Network")
|> |> PrinterPath = "\\BOFU2000\HP_CSR 5000dn PCL 6"
|> |> WshNetwork.AddWindowsPrinterConnection PrinterPath
|> |> WshNetwork.SetDefaultPrinter PrinterPath
|> |>
|> |> Thank you for using our news groups!
|> |>
|> |> Regards,
|> |> Joe Wu
|> |> Product Support Services
|> |> Microsoft Corporation
|> |>
|> |> Get Secure! -
www.microsoft.com/security
|> |>
|> |> ====================================================
|> |> When responding to posts, please "Reply to Group" via your newsreader
|so
|> |> that others may learn and benefit from your issue.
|> |> ====================================================
|> |> This posting is provided "AS IS" with no warranties, and confers no
|> |rights.
|> |>
|> |> --------------------
|> |> |From: "Jeff Smyrski" <
[email protected]>
|> |> |References: <
[email protected]>
|> |> <
[email protected]>
|> |> <
[email protected]>
|> |> <
[email protected]>
|> |> |Subject: Re: Disable Screen Saver Password for Machine
|> |> |Date: Tue, 14 Oct 2003 16:13:41 -0400
|> |> |Lines: 264
|> |> |X-Priority: 3
|> |> |X-MSMail-Priority: Normal
|> |> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |> |Message-ID: <uybdq#
[email protected]>
|> |> |Newsgroups: microsoft.public.win2000.group_policy
|> |> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|> |216.230.225.242
|> |> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
|> |> |Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.group_policy:15129
|> |> |X-Tomcat-NG: microsoft.public.win2000.group_policy
|> |> |
|> |> |So, I guess I am lost, does the following vbscript work for what I
|want
|> |it
|> |> |to do?
|> |> |This is the logon script for all users in this particular
|group...which
|> |> also
|> |> |selectivly maps the default printer.
|> |> |
|> |> |In my model I have two cross trained secretaries that will log onto 3
|> |> |different workstations, in diff, locations, with diff printers
|> available.
|> |> I
|> |> |figure that I am already detecting the workstation in order to
perform
|> |> these
|> |> |steps, will adding the network line under the Case Station_131 work
in
|> |this
|> |> |senerio. Also, I have moved the policy to the top of the list and
|> |checked
|> |> |the no override option...to preserve the setting from other
policies.
|> |> |Please let me know.
|> |> |Jeff Smyrski
|> |> |
|> |> |Set WshNetwork = WScript.CreateObject("WScript.Network")
|> |> |Set WshShell = WScript.CreateObject("WScript.Shell")
|> |> |Select Case WshNetwork.ComputerName
|> |> | Case "STATION_120"
|> |> | PrinterPath = "\\BOFU2000\HP_CSR 5000dn PCL 6"
|> |> | PinterDriver = "HP LaserJet 5000 Series PCL 6"
|> |> | WshNetwork.AddWindowsPrinterConnection PrinterPath,
|> PrinterDriver
|> |> |
|> |> | PrinterPath = "\\BOFU2000\HP_PBSEC - HP 4 Plus"
|> |> | PrinterDriver = "HP LaserJet 4 Plus"
|> |> | WshNetwork.AddWindowsPrinterConnection PrinterPath,
|> PrinterDriver
|> |> |
|> |> | WshNetwork.SetDefaultPrinter "\\BOFU2000\HP_PBSEC"
|> |> | Case "STATION_131"
|> |> | PrinterPath = "\\BOFU2000\HP Color - CB PCL 5c"
|> |> | PrinterDriver = "HP Color LaserJet 4500 PCL 5c"
|> |> | WshNetwork.AddWindowsPrinterConnection PrinterPath,
|> PrinterDriver
|> |> | WshNetwork.SetDefaultPrinter "\\BOFU2000\CBColor"
|> |> |
|> |> | WshShell.RegWrite "HKCU\Control
|> |Panel\Desktop\ScreenSaverIsSecure",
|> |> |0, "REG_SZ"
|> |> |
|> |> |Case Else
|> |> | PrinterPath = "\\BOFU2000\HP Color - CB PCL 5c"
|> |> | PrinterDriver = "HP Color LaserJet 4500 PCL 5c"
|> |> | WshNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver
|> |> | WshNetwork.SetDefaultPrinter "\\BOFU2000\CBColor"
|> |> |End Select
|> |> |
|> |> ||> |> |> Dear Jeff,
|> |> |>
|> |> |> Thank you for your reply.
|> |> |>
|> |> |> Yes, we can also adjust the existing script to apply these settings
|on
|> |> |only
|> |> |> one computer according to its computer name. It is easy to query
the
|> |> |> computer name via VB script.
|> |> |>
|> |> |> Set WshNetwork = WScript.CreateObject("WScript.Network")
|> |> |> sComputerName=WshNetwork.ComputerName
|> |> |>
|> |> |> However, it is not the same as enabling the setting in a certain
|GPO.
|> |> |> Please note that we added this batch file (or a VBS script) in All
|> |Users'
|> |> |> startup folder. Therefore, no matter who logs on to that computer
|and
|> |> what
|> |> |> his/her original screen saver settings' are, the batch/script will
|be
|> |> |> executed to disable the screen saver password protect. This method
|> will
|> |> |not
|> |> |> affect other computers.
|> |> |>
|> |> |> Please feel free to let me know if you need my further assistance.
|> |> Thanks!
|> |> |>
|> |> |> Regards,
|> |> |> -Joe
|> |> |>
|> |> |> Regards,
|> |> |> Joe Wu
|> |> |> Product Support Services
|> |> |> Microsoft Corporation
|> |> |>
|> |> |> Get Secure! -
www.microsoft.com/security
|> |> |>
|> |> |> ====================================================
|> |> |> When responding to posts, please "Reply to Group" via your
|newsreader
|> |so
|> |> |> that others may learn and benefit from your issue.
|> |> |> ====================================================
|> |> |> This posting is provided "AS IS" with no warranties, and confers no
|> |> |rights.
|> |> |>
|> |> |> --------------------
|> |> |> |From: "Jeff Smyrski" <
[email protected]>
|> |> |> |References: <
[email protected]>
|> |> |> <
[email protected]>
|> |> |> |Subject: Re: Disable Screen Saver Password for Machine
|> |> |> |Date: Fri, 10 Oct 2003 09:37:58 -0400
|> |> |> |Lines: 135
|> |> |> |X-Priority: 3
|> |> |> |X-MSMail-Priority: Normal
|> |> |> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |> |> |Message-ID: <
[email protected]>
|> |> |> |Newsgroups: microsoft.public.win2000.group_policy
|> |> |> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|> |> |216.230.225.242
|> |> |> |Path:
|cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
|> |> |> |Xref: cpmsftngxa06.phx.gbl
|> microsoft.public.win2000.group_policy:14985
|> |> |> |X-Tomcat-NG: microsoft.public.win2000.group_policy
|> |> |> |
|> |> |> |I understand what you are saying, but in reality this is the same
|as
|> |the
|> |> |> |Active Directory Policy that I enforce on all of my users, in
|essence
|> |> |under
|> |> |> |the USER->Administrative Templates->Control Panel->Display and the
|> |> |options
|> |> |> |to enable the screen saver, to type in the name of the screen
|saver,
|> |> |which
|> |> |> I
|> |> |> |am using, logon.scr, the timeout, and event the "password"
feature,
|> |> which
|> |> |> in
|> |> |> |AD is something like OnResume...etc etc.
|> |> |> |
|> |> |> |Which is no problem enforcing or not enforcing for a User...I
would
|> |> |rather
|> |> |> |enforce the script via a policy that is invisible to the user or
|the
|> |> |> |machine, rather than adding a batch file to a startup menu. The
|> |> registry
|> |> |> |setting is the way to go, and I could create a VB script that
would
|> |edit
|> |> |> the
|> |> |> |registry, but the trouble I am having is enforcing it to only the
|> |> |> |machine...rather than the user, for example:
|> |> |> |
|> |> |> |WshShell.RegWrite "HKCU\Control
Panel\Desktop\ScreenSaverIsSecure",
|> 0,
|> |> |> |"REG_SZ"
|> |> |> |
|> |> |> |Now that I think about it, I am going to attempt this...in another
|> |> script
|> |> |I
|> |> |> |am already using which is looking at the machine name and uses a
|> |Select
|> |> |> Case
|> |> |> |to install a default printer, based on the machine for an
|> |Organizational
|> |> |> |Unit, since different users cover each other's jobs in different
|> |> |> |locations...lol I think I am answering my own questions.
|> |> |> |
|> |> |> |Jeff Smyrski.
|> |> |> |
|> |> |> |
|> |> |> ||> |> |> |> Dear Jeff,
|> |> |> |>
|> |> |> |> Thank you for your post and it is my pleasure to work with you
|> |again.
|> |> |> |>
|> |> |> |> The Screen Saver "Password protected" setting is set in the
|> |following
|> |> |> |> registry entry:
|> |> |> |>
|> |> |> |> HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control
|> |> |> |> Panel\Desktop\ScreenSaverIsSecure
|> |> |> |>
|> |> |> |> When the value is set to "0" (zero), password protection for
the
|> |> |screen
|> |> |> |> saver is turned off. When the value is set to "1", password
|> |protection
|> |> |> for
|> |> |> |> the screen saver is turned on.
|> |> |> |>
|> |> |> |> Therefore, we can try the following solution:
|> |> |> |>
|> |> |> |> 1. Log on as a common user and adjust the screen saver settings
|> |> |(disable
|> |> |> |> screen saver password protected setting).
|> |> |> |> 2. Open registry editor and export the
|> |> |> |> [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control
|> |> |> |> Panel\Desktop] to a screensaver.reg file.
|> |> |> |> 3. Open this screensaver.reg files in Notepad and delete
|> unnecessary
|> |> |> |lines.
|> |> |> |> For example, we can use the following content:
|> |> |> |>
|> |> |> |> Windows Registry Editor Version 5.00
|> |> |> |>
|> |> |> |> [HKEY_CURRENT_USER\Control Panel\Desktop]
|> |> |> |> "ScreenSaverIsSecure"="0"
|> |> |> |>
|> |> |> |>
|> |> |> |> 4. Right-click the "Start" button and choose "Open All Users".
|> |> |> |Double-click
|> |> |> |> "Programs" and then double-click "Startup".
|> |> |> |> 5. Then a Windows Explorer will open in a directory like the
|> |> following:
|> |> |> |>
|> |> |> |> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
|> |> |> |>
|> |> |> |> 6. Copy the ScreenSaver.reg file to this folder.
|> |> |> |> 7. Please use Notepad to create a ScreenSaver.bat file there.
|> Please
|> |> |> input
|> |> |> |> the following command in that ScreenSaver.bat file:
|> |> |> |>
|> |> |> |> regedit /s ScreenSaver.reg
|> |> |> |>
|> |> |> |> Then when a user logs on, the above command will be operated and
|> |> |disable
|> |> |> |> the Screen Saver password protection.
|> |> |> |>
|> |> |> |> I have tested this solution in my lab. Thank you for keeping
|using
|> |our
|> |> |> |news
|> |> |> |> groups! Have a great day!
|> |> |> |>
|> |> |> |> Regards,
|> |> |> |> Joe Wu
|> |> |> |> Product Support Services
|> |> |> |> Microsoft Corporation
|> |> |> |>
|> |> |> |> Get Secure! -
www.microsoft.com/security
|> |> |> |>
|> |> |> |> ====================================================
|> |> |> |> When responding to posts, please "Reply to Group" via your
|> |newsreader
|> |> |so
|> |> |> |> that others may learn and benefit from your issue.
|> |> |> |> ====================================================
|> |> |> |> This posting is provided "AS IS" with no warranties, and confers
|no
|> |> |> |rights.
|> |> |> |>
|> |> |> |> --------------------
|> |> |> |> |From: "Jeff Smyrski" <
[email protected]>
|> |> |> |> |Subject: Disable Screen Saver Password for Machine
|> |> |> |> |Date: Thu, 9 Oct 2003 15:46:19 -0400
|> |> |> |> |Lines: 18
|> |> |> |> |X-Priority: 3
|> |> |> |> |X-MSMail-Priority: Normal
|> |> |> |> |X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|> |> |> |> |X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|> |> |> |> |Message-ID: <
[email protected]>
|> |> |> |> |Newsgroups: microsoft.public.win2000.group_policy
|> |> |> |> |NNTP-Posting-Host: bankofutica-gate-line-r.bankofutica.com
|> |> |> |216.230.225.242
|> |> |> |> |Path:
|> |cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
|> |> |> |> |Xref: cpmsftngxa06.phx.gbl
|> |> microsoft.public.win2000.group_policy:14953
|> |> |> |> |X-Tomcat-NG: microsoft.public.win2000.group_policy
|> |> |> |> |
|> |> |> |> |I am interested in disabling the screen saver password for one
|> |> machine
|> |> |> |that
|> |> |> |> |several users access under one log in. The problem that I have
|is
|> |if
|> |> |I
|> |> |> |> |disable the password for this user based on the OU, then where
|> ever
|> |> |the
|> |> |> |> user
|> |> |> |> |logs into which might be multiply machines the password protect
|> |> option
|> |> |> is
|> |> |> |> |disabled.
|> |> |> |> |
|> |> |> |> |I attempted then, to create a Machine policy for the OU only
|> |applying
|> |> |> the
|> |> |> |> |policy to the machine name, I moved the policy to the top of
the
|> |list
|> |> |> and
|> |> |> |> |even attempted the no override option.
|> |> |> |> |
|> |> |> |> |How can I enforce a no password policy for this machine while
|> |> |preserving
|> |> |> |> the
|> |> |> |> |password protection policy for the users logging in to multiple
|> |> |machines
|> |> |> |> |including this one.?
|> |> |> |> |
|> |> |> |> |Thanks
|> |> |> |> |Jeff Smyrski
|> |> |> |> |
|> |> |> |> |
|> |> |> |> |
|> |> |> |>
|> |> |> |
|> |> |> |
|> |> |> |
|> |> |>
|> |> |
|> |> |
|> |> |
|> |>
|> |
|> |
|> |
|>
|
|
|