GPO for screensaver 3

[tvbruwae]

Hi

We would like to have a GPO that configures the screensaver for desktops in the domain. The GPO should only allow one screensaver (.scr file) to be used.

Most other screensaver settings should not be configured. I.e. users should be able to change the time-out, password protection or even the activation of a screensaver.

We tried to implement this but haven't found what we need yet. In our policy we only configured the "screen saver executable name". Other screensaver-related settings were left unconfigured.

However on the clients, all screen saver settings are grayed out. So the user can not change the parameters anymore..

Is there a way to implement what we need with the default GPO templates?

Thanks,
Tim

 

[markdmac]

Once you force a specific SCR file via GPO the user is locked out of that screen to prevent the user from changing that default value.

You will need to pick a company standard timeout, choose if it shoudl be password protected and configre all of those settings.

If you wish to set a default screen saver value while allowing user to change it later if they wish then you could do so with VBScript by writing the screen saver information directly to the registry.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ncotton]

If you still require this function, I can write you a new admin template to just change the screensaver

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[tvbruwae]

So basically I just have to write an ADM template that sets the SCRNSAVE.EXE registry value to the mandatory screensaver? I think I can do that. But then once again I do not understand MS: why do they offer the option to configure all screensaver settings individually and then let one setting rule out all the others..

In any case, thank you both for the reply! Without the tips I could have been looking for a long time to figure this out..

 

[ncotton]

If you download the GPMC (for Win2003) you get the options to set all these specifs individually, the exe, the timeout, enabling them at all. So you can just specify the actual screensaver, and let the users specify the time outs, passwords etc. The GPMC will only work (as in, be viewed on) a windows 2003 OR Windows XP machine. However, it will control control policy for a Windows 2000 domain (you just cant run the gui from a 2000 server).

In light of you not wanting to run the GPMC, I have created you a ADM file below. I assume that you know how to implement and maintain them. Here you go :

CLASS USER
	CATEGORY !!NJCISEDITS
		CATEGORY !!SCREENSAVER
			POLICY !!ScreenSaverActive
				KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"
				#if version >= 4
				SUPPORTED !!SUPPORTED_Win2kSP1
				#endif

				EXPLAIN !!ScreenSaverActive_Help
				VALUENAME "ScreenSaveActive"
				VALUEON  1
				VALUEOFF 0
			END POLICY

			POLICY !!ScreenSaverFilename
				KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"
				#if version >= 4
				SUPPORTED !!SUPPORTED_Win2kSP1
				#endif

				EXPLAIN !!ScreenSaverFilename_Help
				PART !!ScreenSaverFilename EDITTEXT
					VALUENAME "SCRNSAVE.EXE"
				END PART
			END POLICY

			POLICY !!ScreenSaverIsSecure
				KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"
				#if version >= 4
				SUPPORTED !!SUPPORTED_Win2kSP1
				#endif

				EXPLAIN !!ScreenSaverIsSecure_Help
				VALUENAME "ScreenSaverIsSecure"
				VALUEON  1
				VALUEOFF 0
			END POLICY	

			POLICY !!ScreenSaverTimeOut
				KEYNAME "Software\Policies\Microsoft\Windows\Control Panel\Desktop"
				#if version >= 4
				SUPPORTED !!SUPPORTED_Win2kSP1
				#endif

				EXPLAIN !!ScreenSaverTimeOut_Help
				PART !!ScreenSaverTimeOut_Tip1  TEXT
				END PART
				PART !!Blank                  TEXT
				END PART
				PART !!ScreenSaverTimeOutFreqSpin   NUMERIC DEFAULT 900
					MIN 0 MAX 599940 SPIN 60
					TXTCONVERT
					VALUENAME "ScreenSaveTimeOut"
				END PART
			END POLICY
		END CATEGORY
	END CATEGORY

[strings]
NJCISEdits="NJC Info Sys GP Edits"
SCREENSAVER="Screensaver settings"
CPL_Display_HideScrsav="Hide Screen Saver tab"
NoDispScrSavPage_Help="Removes the Screen Saver tab from Display in Control Panel.\n\nThis setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer."
ScreenSaverActive_Help="Enables desktop screen savers.\n\nIf you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver tab in Display in Control Panel. As a result, users cannot change the screen saver options.\n\nIf you do not configure it, this setting has no effect on the system.\n\nIf you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screensaver on the client is specified through the "Screensaver executable name" setting or through Control Panel on the client computer. Second, the screensaver timeout is set to a nonzero value through the setting or Control Panel.\n\nAlso, see the "Hide Screen Saver tab" setting."
ScreenSaverActive="Screen Saver"
ScreenSaverFilename_Help="Specifies the screen saver for the user's desktop.\n\nIf you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers on the Screen Saver tab in Display in Control Panel, which prevents users from changing the screen saver.\n\nIf you disable this setting or do not configure it, users can select any screen saver.\n\nIf you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file.\n\nIf the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.\n\nNote: This setting can be superseded by the "Screen Saver" setting.  If  the "Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run."
ScreenSaverFilename="Screen Saver executable name"
ScreenSaverIsSecure_Help="Determines whether screen savers used on the computer are password protected.\n\nIf you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.\n\nThis setting also disables the "Password protected" check box on the Screen Saver tab in Display in Control Panel, preventing users from changing the password protection setting.\n\nIf you do not configure this setting, users can choose whether or not to set password protection on each screen saver.\n\nTo ensure that a computer will be password protected, also enable the "Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting.\n\nNote: To remove the Screen Saver tab, use the "Hide Screen Saver tab" setting."
ScreenSaverIsSecure="Password protect the screen saver"
ScreenSaverTimeOut="Screen Saver timeout"
ScreenSaverTimeOut_Tip1="Number of seconds to wait to enable the Screen Saver"
ScreenSaverTimeOutFreqSpin="Seconds:"
ScreenSaverTimeOut_Help="Specifies how much user idle time must elapse before the screen saver is launched.\n\nWhen configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.\n\nThis setting has no effect under any of the following circumstances:\n\n    - The setting is disabled or not configured.\n\n    - The wait time is set to zero.\n\n    - The "No screen saver" setting is enabled.\n\n    - Neither the "Screen saver executable name" setting nor the Screen Saver tab of the client computer's Display Properties dialog box specifies a valid existing screensaver program on the client.\n\nWhen not configured, whatever wait time is set on the client through the Screen Saver tab of the Display Properties dialog box is used. The default is 15 minutes."
SUPPORTED_Win2kSP1="At least Microsoft Windows 2000 Service Pack 1"
Blank=" "

If you need any help on applying, or maintaining custom ADM edits. Let me know.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[tvbruwae]

Hi Neil

We are running Win2003 and we are using the GPMC to edit the policies. So I guess we did configure it like you mentioned.. In the policy under User configuration --> Administrative Templates --> Control Panel --> Display we set:

Screen Saver: not configured
Screen Saver Executable Name: %systemroot%\system32\sc.scr
Password protect the screen saver: not configured
Screen Saver timeout: not configured

When looking at this from a logical perspective it would be the perfect setup for what we need. But instead we get what Mark wrote: even though one setting is configured, it appears to be one that locks all the others.. Did you get a fixed screensaver executable to work without freezing the other options?

 

[ncotton]

Thats the one we have implemented...not set by me. I will recreate it when i get back into work tomorrow, and let you know.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[markdmac]

I do not understand MS: why do they offer the option to configure all screensaver settings individually and then let one setting rule out all the others..

This is no different than any other piece of security for locking down IE. You block access to the tab, not individual settings. By configuring an option on the tab you are locking down the entire tab.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ncotton]

Well, I have just tested my edit that I posed, and I can specify just the SCR, all the other settings are left configurable by the user, and I have tested the time change, settings, and password and are all still configurable by the user.

Not tested the default one from the SYSTEM.adm, but I removed some properties from the default. They were policies that had no key values, and just enabled/disabled. This may have something to do with this.

If you implement my ADM, it will work as you want it.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[markdmac]

Neil, did you test as a user and not admin? I don't see how it would be possible to lock just this one setting down, though I confess I have not tested your solution. Are you saying that the screen saver drop down will be locked but other settings will not for a user or power users?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ncotton]

Yes Mark, deffinately.
Any user, standard, admin, power whatever, the secreensaver selection is greyed, timeout/password/settings are all configurable.

I'm still using it on my deve network .

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[ncotton]

Yes Mark, deffinately.
Any user, standard, admin, power whatever, the secreensaver selection is greyed, timeout/password/settings are all configurable.

I'm still using it on my dev network .

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[markdmac]

I'll toss a star your way Neil. I still want to check it out on my side but your efforts deserve some recognition. Nice job.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ncotton]

Trust me dude! It works....And tested on both Win XP, and Win Server 2003 / 2000 Server.

<catches star and cuts hand>

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[markdmac]

Sorry if I wasn't clear. I do trust you.

I just want to test on my side to better understand how the seperate ADM is able to isolate that one element without locking out the whole tab as read only. I am guessing that because the other elements are not in the policy they don't get locked down, but that should be the same as leaving an element as unconfigured.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ncotton]

I will look into this Mark....I have a conceptual reason..I will post back!

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[markdmac]

This is why I love the Tek-Tips forums. Intellectual discussions among peers! So refreshing from the other forums I see out there where everything is a flame fest.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ncotton]

Concept FAILED!

NEWS:
FACT - I can only speak from my tests, but I tried the standard normal screensaver settings, as in the one built into GPMC, and I can from there, still specify the screensaver .scr file and let the users config the rest of the settings.

CONCEPT2
========
There is a setting that "enables Screen Savers". I think, if you disable this, then all settings are disabled, and by default has no screensaver, there fore actually "disabling the screen saver", cause it is being defaulted to nothing, and denying changes to this. However, if you disable this, but specify other settings, for example, specifying the .scr, then this will be enforced as the screensaver, but there are no other options for configuration on the client. But this comes from the Activate Screensaver, not from the fact that you are specifying an individual scr.

The above is my new concept, will test tomorrow morning.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[tvbruwae]

For now I have to stick with Mark's findings. When I used your ADM template to configure the screensaver the results were still the same as with the default one. In fact, when I set the screensaver's executable name with your ADM template, the default setting was also adjusted to the same value automatically. So both the default ADM and your customized one are effectively making the same modifications.

On the client, the options on the screen saver tab are all grayed out. But in the drop-down list I can see the value "(None)", even though a .scr file is defined in the policies (and gpresult shows that the policy is correctly applied).

When you select not to use a screensaver at all on a computer, other options are by default disabled which is normal. So perhaps it could be that the policy does set the registry setting (HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE is filled in with the correct SCR file) but that it does not load the value into the screensaver dropdown list. Which would also explain the behaviour we are seeing.

Then the question would be: if the registry setting is correct, then why is the screensaver not shown in the dropdown list?

 

[tvbruwae]

I tried some more things. When I select "sspipes.scr" as the screen saver's executable name in the policy, it DOES apply correctly with all other options definable by the user. As soon as I select our own "sc.scr", the value in the GUI shows "None" and the other options are grayed out.

The sc.scr file is in the %systemroot%\system32 folder and can be normally selected / used on a computer without the policies applied. So nothing is be wrong with the screensaver itself. Do we need to "publish" a screensaver executable in some way (on top of copying it into the system32 folder)?