NT Server / policies / screensaver locking

[bplatosz]

Is there a way that you can implement a policy in NT where you force all of the workstations to have a specific screensaver with the "Password Protect" option enabled and be able to specify the "Wait Minutes"?

 

[gensan]

From your NT server, run POLEDIT (Policy Editor).
Connect to the computer you want to implement controls.
Click on Control Panel / Desktop to set the restrictions.
You can also do a lot of restrictions using policy editor. Try looking into the other options.

 

[bplatosz]

In Policy Editor... can you do it to all computers in a domain, or do you have to do it one at a time?

Thanks in advance...

 

[shipmate]

You can do all the computers in the domain;
Read this;

http://windows.oreilly.com/news/syspolicy_0600.html

Basically, run it like a login script, put the created policy file in %systemroot%\winnt\system32\repl\import\scripts. This way, yuo can update the policy once, and it will be distributed.

In the policy file, you can create restrictions for computers, users, or groups......

 

[yizhar]

HI.

As with any other policy, you can define it on the "Default User", and/or on specific "Group/User" objects (so you can define it on a "Domain Users" group.

Read the NT RK docs about Poledit, I don't remember the exact details of policy scope. And do some piloting ofcourse.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ntroger]

I implemented a screensaver thru system policies recently in my organization.

You have to type in an additional template for this, because by default screensavers do not show up in policy editor. See technet Q195655 for more information: Here's a link:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q195655

A straightforward example of how to do this would be as follows (at my organization there is more involved, more than 1 domain etc):
- log in to your pdc, type in the text at the end of this post, and save it as Winnt\Inf\Scrsave.adm
- bring up policy editor on the pdc, click Options, click Policy Template, add Scrsave.adm to the template files
- now you can load your policy from %systemroot%\winnt\system32\repl\export\scripts\ntconfig.pol (or create a new one)
- because you loaded Scrsave.adm, you should be able to see screensaver options from within policy editor now
- after you set your screensaver options and save them, copy ntconfig.pol to the Netlogon directory (aka %systemroot%\winnt\system32\repl\import\scripts) on your pdc and each of your bdcs.(If you have Directory Replication established, you can skip this.) By putting ntconfig.pol in the Netlogon share on all the dc's, all NT4 workstations will pick it up.
That's about it. Note that users can still change their screensaver after they log in. However this helps to keeps the less computer-literate folks from walking away and leaving their desktops unlocked for hours at a time.

---Scrsave.adm from Q195655,change logon.scr to whatever you want------------------------------

CLASS USER

CATEGORY !!Screen_Saver_Policy
POLICY !!Screen_Saver
KEYNAME "Control Panel\Desktop"
PART !!Screen_Saver_Location EDITTEXT
DEFAULT !!DEF_SCREEN_SAVER
VALUENAME SCRNSAVE.EXE
END PART
END POLICY
POLICY !!ENABLE_SCREEN_SAVER
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaveActive
VALUEON "1" VALUEOFF "0"
END POLICY
POLICY !!SCREEN_SAVER_IDLE_TIMEOUT
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaveTimeout
VALUEON "600"
END POLICY
POLICY !!ENABLE_Password
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaverIsSecure
VALUEON "1" VALUEOFF "0"
END POLICY
END CATEGORY

[strings]
Screen_Saver_Policy="Screen Saver Policies"
Screen_Saver="Screen Saver"
ENABLE_SCREEN_SAVER="Enable Screen Saver"
Screen_Saver_Location="Enter the location of the Screen Saver"
DEF_Screen_Saver="%SYSTEMROOT%\system32\logon.scr"
ENABLE_Password=Enable Password
SCREEN_SAVER_IDLE_TIMEOUT="Screen Saver Activation Timeout"
Scrsave.adm <end>