Force all XP workstations to use certain screensaver settings

[hskr4evr]

Hello everyone! Didn't know if this was the right forum for this or not...

I have a network of 1103 XP workstations. Due to reasons beyond my control, we are still running an NT4 domain.

Recent policy dictates that all users must make use of a password protected screensaver after 10 minutes of inactivity.

1. How can I force this these settings to all XP workstations via a script?
2. How can I prevent the users, who don't have administrative rights to these workstations, from changing the screensaver settings?

Thank you!

 

[bcastner]

First, the basics. Screensaver settings are stored in the registry:

In Regedit go to:

HKEY_CURRENT_USER\Control Panel\Desktop

Check/add the following REG_SZ values:

ScreenSaveActive = 1 (0 = no screensaver active)
ScreenSaverIsSecure = 1 (set to 0 it means no password is required)
ScreenSaveTimeOut = 600 (10 minutes, time is in seconds)
SCRNSAVE.EXE = C:\Windows\System32\ssmypics.scr (or desired screensaver file name)

If no one has logged on yet, or all users are logged out:

HKEY_USERS\.DEFAULT\Control Panel\Desktop

Check/add the following values
ScreenSaveActive = 1 (0 = no screensaver active)
ScreenSaverIsSecure = 1 (set to 0 it means no password is required)
ScreenSaveTimeOut = 600 (10 minutes, time is in seconds)
SCRNSAVE.EXE = C:\Windows\System32\ssmypics.scr (or desired screensaver file name)

Finally, change the screensaver Grace period.

This setting determines when password protection of a screen saver becomes effective. By default, a brief period elapses within which the user can use the mouse or the keyboard to stop the screen saver without entering the password.

Registry Settings
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Value Name: ScreenSaverGracePeriod
Data Type: REG_SZ (String Value)
Value Data: 0 - 2,147,483 seconds (approximately 24 days)

2. Setup your machine with the screensaver settings you want. Then use regedit to check the settings above. You may need to add new key values. Then export the three registry keys above.

3. To push registry changes to the desktop, you have several choices. See, for a good discussion:

http://msdn.microsoft.com/library/d...w2kmag01/html/DistributingRegistryChanges.asp

4. To prevent changes, push this little .vbs file through their logon scripts. Open a notepad session and paste the below, saving as "no_desktop_changes_allowed.vbs"

***********copy/paste below this line
Option Explicit
On Error Resume Next

'Declare variables
Dim WSHShell, p1

'Set the Windows Script Host Shell and assign values to variables
Set WSHShell = WScript.CreateObject("WScript.Shell&quot

p1 = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings"

WSHShell.RegWrite p1, 1, "REG_DWORD"
**************end copy/paste above this line

Note this prevents any desktop changes from being saved/persistent for the user.

 

[hskr4evr]

Thanks for the reply! Everything in your post makes sense!

I created a .reg file with your suggestions and implemented the registry changes on my local machine.

I verified that the settings took by looking at the screensaver settings when I right-click on the desktop and select properties.

I walked away for about 30 minutes.

The screensaver did not start.

Any ideas? I even rebooted and walked away for another 30 minutes.

 

[bcastner]

http://support.microsoft.com/default.aspx?scid=kb;EN-US;328000