Logging out of users after 10 minutes 1

[bigdavelamb]

Hi, I am using Terminal services 2003, when the users do not touch the screen for around 10 minutes it logs them out and they need to enter their username/password. When you righr click on the desktop to change the setting as a user they are restricted so cannot change the setting themselves, where would this need to be set?

Thanks alot.

dave

 

[ascotta]

It can be sset in AD Users and computers or TSCONFIG or User Mangler. It is an idle timeout.

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[karmic]

Ran into this a while back... disable the screensaver on the server...

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[bigdavelamb]

I checked the Active Directory, it is set to 3 hours, which is not the case, this setting is being overwridden, maybe in the GPO?

cheers,
dave

 

[twoody54]

Yes, this is the screensaver setting, its password protected which makes their session "locked" and not logged off...

 

[bigdavelamb]

yeah i know it's the screensaver setting, but each individual user cannnot change this - it's locked down somewhere.....thus my query on here.........otherwise i would of just changed the setting already

 

[karmic]

change it on the server desktop, not thru a terminal session...

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[ascotta]

I have read with disbelief the above, this cannot be right, surely, or is the TS desktops a pile of...

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[twoody54]

Set it in active directory.

user configuration/administrative templates/control panel/display

there you'll see the various settings needed to change it. Again, the password protected screen saver is the problem for you. Either increase the idle time required before the SS kicks in, take off the password protection, or disable the SS entirely.

This isn't a "bad" feature because with TS you can log on from anywhere and leave your session open forgetting about it. Saying you have highly secure info on your system and someone with access to it logs on to check their email and forgets to disconnect or log off from the session. Anyonw walking by can hop on and do whatever they want that the logged on users permissions allow...

It comes down to the whole security vs. convenience thing.

 

[twoody54]

I should have said group policy, not active directory. If you want to apply it to just their sessions and not their client PC's, create a Terminal Server OU and put your terminal servers in there. Apply the group policy to just that OU.

 

[ascotta]

Just asking, thanks for clarification. Surely a policy for local desktops can handle that.

Hmmm what about winterms and the like.....

[blue]Arguably the best cat skinner around ! [/blue]

Cheers
Scott

 

[twoody54]

depends on your situation really. LCD's don't have burn in so if the Winterm's use flat screens its not a big deal to disable the screen saver on the session, if that's what you want. If those people that use winterms only ever log on from that winterm then you could possibly just either apply the GP to everyone but them or block them from having it applied to them. Someone else might have better ideas since we dont' have them here and I haven't had to deal with that situation.