Boswell's Q&A

Lock and Load

Admin migrating to Windows 2003 wants to lock up all workstations </i>a la<i> NT.

Bill: I'm trying to set up automatic desktop locking by enabling the logon screensaver on Windows 2000 workstations. I've done this on NT 4.0, but don't know where to go to do it on 2000.

Currently I have an NT domain so Active Directory is not yet implemented, but I'd like to know how to do the automated setup when we complete the migration, which is soon.
—Name withheld by request

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

Anonymous: Once you complete the deployment of Active Directory, your problem is a fairly straightforward task to solve using Group Policies. There are four policies that are used to manage the screen saver. You can access all of them in the Group Policy Editor using this path:

User Configuration | Administrative Templates | Control Panel | Display

Figure 1 shows what the settings look look like in the Group Policy Editor.

Here's a quick list of the setting details extracted from setting properties.

Screen Saver — Enables desktop screen savers. If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver tab in Display in Control Panel. As a result, users cannot change the screen saver options. If you enable it, a screen saver runs, provided that the following two conditions hold: First, a valid screensaver on the client is specified through the "Screensaver executable name" setting or through Control Panel on the client computer. Second, the screensaver timeout is set to a nonzero value through the setting or Control Panel.

Screen Saver Executable Name — Specifies the screen saver for the user's desktop. If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers on the Screen Saver tab in Display in Control Panel, which prevents users from changing the screen saver. If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.

Password Protect The Screen Saver — Determines whether screen savers used on the computer are password protected. If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. This setting also disables the "Password protected" check box on the Screen Saver tab in Display in Control Panel, preventing users from changing the password protection setting. To ensure that a computer will be password protected, also enable the "Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting.

Screen Saver Timeout — Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. When not configured, whatever wait time is set on the client through the Screen Saver tab of the Display Properties dialog box is used. The default is 15 minutes. This setting has no effect under any of the following circumstances:

  • The setting is disabled or not configured.
  • The wait time is set to zero.
  • The "No screen saver" setting is enabled.
  • Neither the "Screen saver executable name" setting nor the Screen Saver tab of the client computer's Display Properties dialog box specifies a valid existing screensaver program on the client.
Group Policy Editor
Figure 1. Access and manage the four GPO settings using the Group Policy Editor. (Click image to view larger version.)


Properties of GPO
Figure 2. Use Properties of the GPO to disable the Computer Settings for a GPO containing User Policies.

I highly recommend creating a new Group Policy Object (GPO) for these settings rather than using the Default Domain GPO. Link the GPO to an OU that contains the users who you want to manage. This enables you to categorize your group policy settings by GPO. You can have one GPO for Desktop Users, one for Laptop Users, and (if you use Vintela or Centrify) one for your Linux and Unix desktops. Cool stuff.

To speed up GPO processing, you should make it a habit to separate your policies by User and Computer, putting their settings into separate GPOs and disabling the side that isn't used. In other words, disable the Computer Settings for a GPO containing User policies, and vice versa. This is done using the Properties of the GPO (see Figure 2).

Hope this helps!

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus
Most   Popular