Lock and Load
Admin migrating to Windows 2003 wants to lock up all workstations </i>a la<i> NT.
- By Bill Boswell
I'm trying to set up automatic desktop
locking by enabling the logon screensaver on Windows 2000 workstations.
I've done this on NT 4.0, but don't know where to go to do it on 2000.
Currently I have an NT domain so Active Directory is not yet implemented,
but I'd like to know how to do the automated setup when we complete the
migration, which is soon.
—Name withheld by request
Help from Bill
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
Anonymous: Once you complete the deployment of Active
Directory, your problem is a fairly straightforward task to solve using
Group Policies. There are four policies that are used to manage the screen
saver. You can access all of them in the Group Policy Editor using this
User Configuration | Administrative Templates | Control Panel
Figure 1 shows what the settings look look like in
the Group Policy Editor.
Here's a quick list of the setting details extracted from setting properties.
Screen Saver — Enables desktop screen savers. If you disable
this setting, screen savers do not run. Also, this setting disables the
Screen Saver section of the Screen Saver tab in Display in Control Panel.
As a result, users cannot change the screen saver options. If you enable
it, a screen saver runs, provided that the following two conditions hold:
First, a valid screensaver on the client is specified through the "Screensaver
executable name" setting or through Control Panel on the client computer.
Second, the screensaver timeout is set to a nonzero value through the
setting or Control Panel.
Screen Saver Executable Name — Specifies the screen saver
for the user's desktop. If you enable this setting, the system displays
the specified screen saver on the user's desktop. Also, this setting disables
the drop-down list of screen savers on the Screen Saver tab in Display
in Control Panel, which prevents users from changing the screen saver.
If you enable this setting, type the name of the file that contains the
screen saver, including the .scr file name extension. If the screen saver
file is not in the %Systemroot%\System32 directory, type the fully qualified
path to the file. If the specified screen saver is not installed on a
computer to which this setting applies, the setting is ignored.
Password Protect The Screen Saver — Determines whether screen
savers used on the computer are password protected. If you enable this
setting, all screen savers are password protected. If you disable this
setting, password protection cannot be set on any screen saver. This setting
also disables the "Password protected" check box on the Screen
Saver tab in Display in Control Panel, preventing users from changing
the password protection setting. To ensure that a computer will be password
protected, also enable the "Screen Saver" setting and specify
a timeout via the "Screen Saver timeout" setting.
Screen Saver Timeout — Specifies how much user idle time
must elapse before the screen saver is launched. When configured, this
idle time can be set from a minimum of 1 second to a maximum of 86,400
seconds, or 24 hours. If set to zero, the screen saver will not be started.
When not configured, whatever wait time is set on the client through the
Screen Saver tab of the Display Properties dialog box is used. The default
is 15 minutes. This setting has no effect under any of the following circumstances:
- The setting is disabled or not configured.
- The wait time is set to zero.
- The "No screen saver" setting is enabled.
- Neither the "Screen saver executable name" setting nor
the Screen Saver tab of the client computer's Display Properties dialog
box specifies a valid existing screensaver program on the client.
|Figure 1. Access and manage
the four GPO settings using the Group Policy Editor. (Click image
to view larger version.)
|Figure 2. Use Properties of the GPO to disable
the Computer Settings for a GPO containing User Policies.
I highly recommend creating a new Group Policy Object (GPO) for these
settings rather than using the Default Domain GPO. Link the GPO to an
OU that contains the users who you want to manage. This enables you to
categorize your group policy settings by GPO. You can have one GPO for
Desktop Users, one for Laptop Users, and (if you use Vintela or Centrify)
one for your Linux and Unix desktops. Cool stuff.
To speed up GPO processing, you should make it a habit to separate your
policies by User and Computer, putting their settings into separate GPOs
and disabling the side that isn't used. In other words, disable the Computer
Settings for a GPO containing User policies, and vice versa. This is done
using the Properties of the GPO (see Figure 2).
Hope this helps!
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.