Force screen saver after inactivity with GPO's domain wide

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a requirment to set every users screen saver to activate with
password within 5 minutes. We want to control this from the back-end instead
of trusting that the users will enable it for themselfs. Is there A GPO that
has this configuration? Any help is greatly appreciated. Thank You!
 
You can find the Screen Saver policies in User Configuration\Administrative
Templates\Control Panel\Display. It should be pretty self-explanatory which
ones to set. Our company has Screen Saver (Enabled), Password protect the
screen saver (Enabled), and Screen Saver timeout (Enabled, 1800s). We did
not have to set "Screen Saver executable name" like a lot of the policies
indicate is required. It worked fine with it not configured and gave our
users the flexibility of selecting their own preferred screen saver.

Initially we tried for a 10 minute timeout, but there was much wailing and
gnashing of teeth. It was later dropped to 30 minutes which I think defeats
the purpose of locking an inactive computer since it gives a 30 minute
window to walk up to a computer that hasn't locked yet.

Good luck with your 5 minute policy. You may wish to take your phone off
the hook for a while after implementation... :)
 
Thank You Michael. I truly appreciate your help.

Michael Ellingson said:
You can find the Screen Saver policies in User Configuration\Administrative
Templates\Control Panel\Display. It should be pretty self-explanatory which
ones to set. Our company has Screen Saver (Enabled), Password protect the
screen saver (Enabled), and Screen Saver timeout (Enabled, 1800s). We did
not have to set "Screen Saver executable name" like a lot of the policies
indicate is required. It worked fine with it not configured and gave our
users the flexibility of selecting their own preferred screen saver.

Initially we tried for a 10 minute timeout, but there was much wailing and
gnashing of teeth. It was later dropped to 30 minutes which I think defeats
the purpose of locking an inactive computer since it gives a 30 minute
window to walk up to a computer that hasn't locked yet.

Good luck with your 5 minute policy. You may wish to take your phone off
the hook for a while after implementation... :)
Click to expand...
 
XP/2003 already have a setting for what you need in the Group Policy
Editor, under USER CONFIGURATION\Administrative Templates\Control
Panel\Display, I am not too sure about Nt or 2000.

Well, the final goal is the same regardless, you will need to set these
values in the registry however you do it

HKEY_CURRENT_USER\Control Panel\Desktop : ScreenSaveTimeOut = 300

-- To ensure that the screen saver is invoked after 5 minutes of inactivity.

HKEY_CURRENT_USER\Control Panel\Desktop : ScreenSaverIsSecure

-- To ensure that a password is prompted after the screen saver is invoked.

Now, there are a few ways you can propogate this out to all the clients,
one is to use a script that can be run on all the clients , maybe even
on the logon script, The other is to create your own group policy
template from a .REG file (a text file containing registry settings
which can be exported). You can convert a .REG file to a Group Policy
Template (.ADM) using a utility called REG2ADM available from
http://www.novell.com/coolsolutions/tools/1421.html

And below is the contents of the screenSaverPolicy.REG file, left on a
Network Share i.e. \\<Server>\<share>\ readable by all users in your
group(s).

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="300"
"ScreenSaveActive"="1"

Now, would make a batch file, called enforceScreenSaverPolicy.cmd and
have this one command in it.

REGEDIT.EXE /s "\\<Server>\<share>\screenSaverPolicy.REG"

That's it, if you enforce this batch file as a logon script for all the
users in your group(s)
 
Back
Top