GPO lock workstation

[Guest]

How can I configure a GPO to lock workstations in the same manner as pressing
CTRL+ALT+DEL > Lock Computer?

I have both Windows 2K3 and 2k Servers and XP and 2k desktops.

I haven't been able to find a GPO to do this or even info on creating an adm
template file to do it.

I've also tried configuring the screen saver to run and enforce "Password
protect the screen saver", but that didn't work at all.

Thanks for any help or suggestions!
-Steve

 

[Mark Heitbrink [MVP]]

How can I configure a GPO to lock workstations in the same manner as pressing
CTRL+ALT+DEL > Lock Computer?

Activate the ScreenSaver with Password

Mark

 

[Guest]

I did that. I enabled the 4 policies below using the GPMC and applied the GPO
to my computer and my username. Refreshed the policy, but it didn't do
anything after a few minutes of idle. I also rebooted, but no difference.
Other new policies do take effect when I test in the same manner. I want the
users to be able to use their AD password to unlock the machine.

User Configuration\Administrative Templates\Control Panel\Display
Screen Saver
Screen Saver executable name (used logon.scr in the System32 folder)
Password protect the screen saver
Screen Saver timeout (set to 60 seconds)

 

[Guest]

To which OU did you link the GPO? Make sure your actual user account is
placed in this OU. Also make sure that Group Policy filtering isn't denying
apply and read policy permission to your account.

BTW:
The GPO does not need to apply to your computer but only to your user
account, because it is a User Setting and not a computer setting (hence the
fact that you configure the setting under "User Configuration"

 

[Guest]

It's linked to the Computers OU and the Users OU. Both my computer and my
user accounts have Read and Apply permissions enabled.

There are computer configuration setttings as well as user settings in the
GPO.

 

[Guest]

You can also use GPMC to see a Resultant Set of Policies applied to your
account. Can you run this wizard and see if the correct settings are applied
to your account and there aren't any conflicts or overwriting OU's?

 

[Guest]

Thanks for your help. The settings eventually took. The secedit refresh
didn't seem to refresh the user settings on the W2k test box, though gpupdate
did on the XP test box. The settings took fine after an hour or two.

Thanks for your help! You saved me a lot of testing.

 

[Guest]

You can force a policy refresh on w2k by using the secedit command:

machine policy:
secedit /refreshpolicy machine_policy /enforce

user policy:
secedit /refreshpolicy user_policy /enforce

Or are those the commands that did not work for you?

 

[Guest]

Those are the commands I was using, but seeing them in front of me now, I
realize I was only entering the machine_policy refresh. Duh!

I had been working solely on machine policies, but then had to add just a
few user policies and it just didn't register in my brain when I ran the
secedit refresh on W2k. I feel silly about that one.

Thanks again for your help!

 

[Guest]

Don't feel silly, it is microsoft who made it confusing:
The secedit refresh command was/is quite a mouthful to reminder, if you make
one typo you immediately get the Windows Help for this command, very annoying.

BUT microsoft also realized this and improved this in XP/2003 by "ripping"
the update function from the secedit and make it a seperate utility: gpupdate

Futhermore gpupdate by default refreshes both the computer and user settings
if you don't supply any parameters. secedit on the other hand will show the
windows help again on how to refresh the specific policy. So being confused
is very understandable!

The good thing about this is, that you'll never forget it :-D

Regards,

Erik