Enable Windows Lock Screen after Inactivity via GPO


In this article we’ll show how to configure automatic screen (session) lock on domain computers or servers using Group Policy. Locking the computer screen when the user is inactive (idle) is an important information security element. The user may forget to lock his desktop (with the keyboard shortcut Win + L) when he needs to leave the workplace for a short time. In this case, any other employee or client who is nearby can access his data. The auto-lock screen policy will fix this flaw. After some time of inactivity (idle), the user’s desktop will be automatically locked, and the user will need to re-enter their domain password to return to the session.

Let’s create and configure a domain Group Policy to manage screen lock options:

  1. Open the Group Policy Management console (gpmc.msc), create a new GPO object (LockScreenPolicy) and link it to the domain root (or to the Users OU); create new Group policy to lock Windows computer after inactivity
  2. Edit the policy edit and go to the User Configuration -> Policies -> Administrative Templates -> Control Panel -> Personalization;
  3. There are some options to manage screen saver and screen lock settings in the GPO section:
    • Enable screen saver
    • Password protect the screen saver — prompts to enter a password to unlock a computer
    • Screen saver timeout – sets time in seconds when a screen saver will be enabled and a computer will be locked if a user is inactive
    • Force specific screen saver – you may specify a screen saver file to be used. The most often it is scrnsave.scr (you can make a slideshow screen saver using GPO)
    • Prevent changing screen saver – prevents users from changing screen saver settings
  4. Enable all policies and set a computer idle time in the Screen saver timeout policy. I have entered 300. It means that user sessions will be automatically locked after 5 minutes; GPO to lock the computer after 5 minutes of idle
  5. Wait until the Group Policy settings are updated on the clients or refresh them manually with the command: gpupdate /force. After the GPO has been applied, screen saver and screen lock settings will be protected from editing in the Windows interface, and user sessions will be locked in 5 minutes of inactivity (to diagnose how the GPO is applied, you can use gpresult tool and the article following this link).
In Windows Server 2012/Windows 8 or newer, there is a separate computer security policy that sets a computer inactivity time after which it is locked. The policy is called Interactive logon: Machine inactivity limit and you can find it in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. gpo: Interactive logon Machine inactivity limit

In some cases, you may need to configure different lock policies for different user groups. For example, the screens of office workers should be locked after 10 minutes, and the screens of production or SCADA operators should never be locked. To implement such a strategy, you may use the GPO Security Filtering (see the example with restricting access to USB devices using GPO) or Item Level Targeting in GPP. Let’s study the latter in more detail.

You can configure computer lock settings using the registry instead of GPO, and deploy the corresponding registry settings to users’ computers via GPO. The following registry parameters match the policies discussed above. They are located in the HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:

  • Password protect the screen saver is a REG_SZ parameter with the name ScreenSaverIsSecure = 1
  • Screen saver timeout is a REG_SZ parameter with the name ScreenSaveTimeout = 300
  • Force specific screen saver is a REG_SZ parameter with the name ScreenSaveActive = 1 and SCRNSAVE.EXE = scrnsave.scr

Create a domain security group (grp_not-lock-prod) for which you want to disable the screen lock policy and add users to it. Create the registry parameters described above in the corresponding GPO section (User Configuration -> Preferences -> Windows Settings -> Registry). Using Item Level Targeting, set for each parameter that the policy must not be applied for the specific security group (the user is not a member of the security group grp_not-lock-prod).

How to exclude specific users or computers from an auto-lockig GPO?

You will also have to create 4 additional registry parameters with a value REG_SZ 0, that forcefully disable screen lock for the group grp_not-lock-prod (otherwise, your GPO won’t overwrite registry values set earlier).





Source link

Mourad ELGORMA

Mourad ELGORMA

Fondateur de summarynetworks, passionné des nouvelles technologies et des métiers de Réseautique , Master en réseaux et système de télécommunications. ,j’ai affaire à Pascal, Delphi, Java, MATLAB, php …Connaissance du protocole TCP / IP, des applications Ethernet, des WLAN …Planification, installation et dépannage de problèmes de réseau informatique……Installez, configurez et dépannez les périphériques Cisco IOS. Surveillez les performances du réseau et isolez les défaillances du réseau. VLANs, protocoles de routage (RIPv2, EIGRP, OSPF.)…..Manipuler des systèmes embarqués (matériel et logiciel ex: Beaglebone Black)…Linux (Ubuntu, kali, serveur Mandriva Fedora, …). Microsoft (Windows, Windows Server 2003). ……Paquet tracer, GNS3, VMware Workstation, Virtual Box, Filezilla (client / serveur), EasyPhp, serveur Wamp,Le système de gestion WORDPRESS………Installation des caméras de surveillance ( technologie hikvision DVR………..). ,

Laisser un commentaire