Automatic lock computers

[sickss]

Is there a way to automatically lock A PC in XP after inactivity and NOT allow the user to make changes to the configuration? Here is the problem, I am currently controling automatic lockout through the screensaver timeout, but some users have the knowledge of how to changes these settings, so they do. Is their a way to disable their access to this function only? or can you do this an intirely different way?

Thanks
Dennis

 

[bcastner]

Use Group Policy at the Domain level, or local policies if not in a Domain:

Start, Run, gpedit.msc

User Configuration
Administrative Templates
Control Panel
Display

. Hide screensaver settings tab, enable
. Password Protect Screensavers, enable

 

[sickss]

THANKS!

 

[sickss]

Nope...does not work. Tried it on DC

 

[bcastner]

You tried it as a local policy on the DC? Group Policy object for the OU, and set it from XP as client logged on as the Domain Administrator unless your DC is Windows 2003.

Also, remember that Fast User Switching disables all password protection on the screensaver.

 

[sickss]

Yes, I ran GPEDIT on the DC, changed the settings, nothing happens after the users login. they can still see and cange the screensaver tab.

Please advise
Dennis

 

[bcastner]

Did you force a policy refresh on the DC? Your settings are not automatic on next logon of client, but on next logon of client after a policy flush on the DC.

 

[bcastner]

Windows 2000 Domain Controllers refresh to other Windows 2000 Domain Controllers on 5 minute intervals. Non-DC Windows 2000 computers are refreshed every 90 minutes.

If many WIndows 2000 computers requested a refresh at the same time, significant congestion would occur. To avoid this, a random offset interval is added to the refresh interval, to calclate the the refresh cycle. Windows 2000 domain controllers use a 0 minute offset, while non-DC Windows 2000 computers use 30 minutes. The refresh information for user and computer policies are maintained separately.

You can use the Group Policy to change these settings, or you can use the registry:

Tochange the refresh interval for computers:
Registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
Value Name: GroupPolicyRefreshTime
Data Type: REG_DWORD
Range (in minutes): 0 to 64800

To change the offset interval for computers:
Registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
Value Name: GroupPolicyRefreshTimeOffset
Data Type: REG_DWORD
Range (in minutes): 0 to 1440


To change the refresh interval for domain controllers:
Registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
Value Name: GroupPolicyRefreshTimeDC
Data Type: REG_DWORD
Range (in minutes): 0 to 64800


To change the offset interval for domain controllers:
Registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
Value Name: GroupPolicyRefreshTimeOffsetDC
Data Type: REG_DWORD
Range (in minutes): 0 to 1440


To change the refresh interval for users:
Registry key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
Value Name: GroupPolicyRefreshTime
Data Type: REG_DWORD
Range (in minutes): 0 to 64800


To change the offset interval for users:
Registry key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
Value Name: GroupPolicyRefreshTimeOffset
Data Type: REG_DWORD
Range (in minutes): 0 to 1440

To immediately impose GPO settings upon a target workstation:

Computer:

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE


User:

SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE

 

[bcastner]

You might want to add the three other screensaver policy objects in your GP settings, as this will prevent XP from being confounded by a possible user setting:

. Enable Screensaver
. Specify a default screensaver
. Set the sreensaver timout interval

This controls all five registry entries involved and prevents a user setting from possibly cicumventing the activation of the screensaver.

 

[sickss]

by running secedit, it changes the DC, but the clients are still not changed? What am I doing wrong?

Dennis

 

[bcastner]

Look at these settings on your test user with regedit:

HKEY_CURRENT_USER\Control Panel\Desktop

These are the REG_SZ values that control the screensaver:

ScreenSaveActive = 1 (If 0, screensavers are not active)
ScreenSaverIsSecure = 1 (a 0 = no password protection)
ScreenSaveTimeOut = 600 (for 10 minutes)
SCRNSAVE.EXE = C:\Windows\System32\ssmypics.scr (or whatever screensaver file name you selected)

Also check this key:
HKEY_USERS\.DEFAULT\Control Panel\Desktop

Remember that Fast User Switching must be disabled on the client.

 

[compgirlfhredi]

One of my students emailed this to me:

On some occasions changes to desktop settings will not save. Sometimes there is also a reason to disable this for public machines that users should not be allowed to change settings. This can be used to make it so your user's changes DO NOT get saved by "disabling save desktop" setting.
· Click Start
· Click Run
· Enter regedit
· Click OK
· Go to HKEY_CURRENT_USER\Software\Microsoft\Windows NTCurrentVersion\Program Manager\Restrictions
· Create or edit the DWORD value = NoSaveSettings
o To save desktop settings, value = 0
o To disable saving desktop settings, value = 1
· Close regedit
· Reboot