using computer policy to enforce screen saver password lockout 1

[grnfvr]

My situation does not allow for users to be placed in an OU, but only computers. However, I really need to be able to require password lockouts on screensavers. Since these are usually enforced via user policy I have a problem. I'm wondering if anyone knows another way to force the password lockout centrally (not using local policy) via computer policy or some other method.

Matt

 

[brontosaurus]

why not just set the policy on the User portion of the Default Domain Policy?

 

[grnfvr]

that would apply the policy to everyone in the domain, i only need to apply it to the members of an OU. of course, it would not hurt to apply it to everyone, except that then all those users would be griping. I don't have the authority to decide to force this change for everyone.

 

[brontosaurus]

may I ask why you can't use OU's? the only other way i can see you accomplishing this is via registry hacks based on login scripts...

 

[grnfvr]

I can't use user policy in the OU because user accounts will not be placed into OU's, only computer accounts. the reasons for this are because many users could fall into more than one OU and it becomes restrictive to place them into one. The other reason is the UNIX LDAP will not mirror placing user accounts into OU's. I don't know too much about LDAP, so i'm not sure the validity of that reason.

 

[brontosaurus]

First off, putting user accounts in OU's does not make them more restrictive, it's exactly what the system was intended for. In your case, they would have all the same policies as other users, except with the addition of the screen saver. As for the LDAP thing, I have no idea why Unix would need to mirror OU's, I would think that it's being used as an authentication tool to access Unix resources, so OU placement would make no difference. Anyway, I'm not in the lecturing business, so here's the registry changes you'll need to make:

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ScreenSaveTimeOut"="360"
"ScreenSaveActive"="1"
"ScreenSaverIsSecure"="1"
"SCRNSAVE.EXE"="C:\\WINNT\\System32\\scrnsave.scr"

(this first one activates and protects the screensaver. make sure the path of "scrnsave.scr" is correct for you. also, you can set the timeout to whatever you want, its in seconds.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=dword:00000001

(this hack removes the screen saver tab from the users Display settings)

 

[grnfvr]

I'm not the one making this decision. I just got off the phone with someone else who also doesn't get to make this decision. Basically the idea is this. We are at a university. The problem is that many times students are faculty, faculty are students, staff are students, and so on, you get the idea. apparently the fear is that it will become an administrative nightmare to get user accounts into the correct OU. and then there is the fear that what if a faculty member enrolls in a class, and gets moved to a different OU that has policies that do not allow them to do what they need to do as faculty.

As for the LDAP thing. basically everyone has accounts on UNIX and Windows. Apparently the UNIX admins do not want to group users into smaller groups. The UNIX ldap has to mirror the windows domain because an account management system makes updates in both and they need to be set up the same.

Believe me, I want to do it through User policy but unfortunately I don't know all the implications of doing this nor do I have the authority to do so. Any further insight you could offer into our interesting situation is welcome.

 

[brontosaurus]

Use the registry hack i provided and put it in a login script for those users. in the script you would run a :

regedit /s <name-of-your-regfile.reg>

that name of the regfile can be anything you want, as long as you put it in the same directory (netlogon) as the login script, and as long as it contains the registry changes I posted.