Results 1 to 9 of 9

Thread: ScreenSaver timeout problem via GPO

  1. #1
    scott7 Guest

    ScreenSaver timeout problem via GPO

    I have about 4 laptops at my company with special needs. I need the screen
    saver to be totally disabled on these 4. They are used for PowerPoint and
    special assignments and the screen needs to stay on and never lock. Let me
    give you some facts about these laptops so you know the situation.

    1. The laptops are joined to a 2003 domain and live in various OUs.
    2. There is a GPO at the domain level that activates a screen saver at 15
    minutes and requires a password to get back in. This is set in user
    configuration, administrative templates, control panel, display, then screen
    saver enabled, screen saver password enabled, and timeout enabled 900
    seconds. This policy is not enforced so if a lower OU blocks inheritance it
    will not run.
    3. None of the OUs these laptops live in block inheritance so the domain
    policy to enable the screen saver will run.

    I tried to create a security group in active directory and a new GPO (using
    security filtering to only the new group) with a loopback policy (I’ve tried
    replace & merge) changing these screen saver settings. The new GPO was put
    at the domain level. It is set up to disable the screen saver under user
    configuration. I had to take out authenticated users and put in only the new
    group (security filter) so it would not run on the entire domain. I tried to
    place the PCs in the group and the GPO won’t run at all. If I put a user in
    the group the new GPO will run, but only if I put it in order to run after
    the other GPO that turns on the screen saver. With this said I turned off
    loopback processing and it would still run if in the correct order. So
    making a GPO with loopback in the domain does not seem to work. I have run
    gpresult and saw the PCs are in the security group, but the new GPO is not
    listed as running. If the user is in the group it runs in the order I set in
    GPM for the domain.

    Since the first method did not work I decided to try something else. Since
    we only have 4 laptops I decided to try and set a local GP on the laptop
    itself using loopback processing. I found one of the laptops and logged in
    as a local admin. Then I did the start, run, and typed gpedit.msc. I set
    the computer configuration, administrative templates, system, group policy
    area to use loopback. We want to use merge so domain and OU policies get
    combined with my new screen saver policy. On the local laptop I set the
    screen saver policy to disabled in the user configuration area. I still had
    no luck. I tried loopback with replace and merge, but the domain screen
    saver policy still won causing the screen saver to activate at 15 minutes
    with a lock.

    One more test I tried was to put the laptop in an OU that had blocking
    inheritance set up. Since the domain policy for the screen saver activation
    and lock was not enforced my laptop local policy worked fine. When in the
    blocked OU the domain policy never ran and the laptop used my local policy to
    disable the screen saver.

    I have searched the web and everything I read about loopback sounds like
    what I’m doing should work. Especially when I set the policy on the local PC
    I thought the loopback makes my screen saver setting to disable run last and
    win.


  2. #2
    Jorge Silva Guest

    Re: ScreenSaver timeout problem via GPO

    Hi
    When you run rsop.msc can you confirm that the user& computer are getting
    the correct GPOs?

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services


  3. #3
    Marcin Guest

    Re: ScreenSaver timeout problem via GPO

    As per http://support.microsoft.com/kb/231287, you cannot filter the user
    settings that are applied by denying or removing the AGP and Read rights
    from the computer object specified for the loopback policy.

    hth
    Marcin



  4. #4
    ToChuck123 Guest

    RE: ScreenSaver timeout problem via GPO

    I have exactly the same sort of issue, and have had both myself and another
    network person (including a security instructor), and while we all seem to
    have come to the same conclusion that we need loopback processing to make
    this sort of thing work, we haven't been able to get it to work.

    I'm going to list what I have done (which seems almost the same as you
    scott), and I hope that someone will point out the blundering error that we
    are missing.

    - Like you we have a subset of our machines that we don't want the
    screensaver polity to run. Loopback processing seems like that is what it is
    designed for.

    -Like you, I have my users (and computers) organized into different OUs.

    -Like you, I have a screensaver policy that is filtered by security groups.
    But since those groups contain pretty much everyone, everyone gets the
    screenscaver policy.
    Here are the settings:

    Administrative Templates
    Control Panel/Display
    Pollicy Setting
    Password protect the screen saver Enabled
    Screen Saver Enabled
    Screen Saver executable name Enabled
    Screen Saver executable name scrnsave.scr

    Policy Setting
    Screen Saver timeout Enabled
    Number of seconds to wait to enable the Screen Saver
    Seconds: 900



    - I made an "anti-screensaver" policy. For testing purposes, I filtered it
    based on my work computer. Its not REALLY "anti-screensaver" right now cause
    I'm just trying to make the loopback work and want to see a difference in the
    screensavers. So I selected a different screensaver to use. Here are the
    settings for that policy:

    Administrative Templates
    System/Group Policy
    Policy Setting
    User Group Policy loopback processing mode Enabled
    Mode: Merge


    Administrative Templates
    Control Panel/Display
    Policy Setting
    Password protect the screen saver Disabled
    Screen Saver Enabled
    Screen Saver executable name Enabled
    Screen Saver executable name ssstars.scr

    Policy Setting
    Screen Saver timeout Disabled


    - When I run the modeling wizard, I use my active directrory account and my
    computer name, and set it to simulate loopback processing with merge (as it
    is in the policy). It comes back and says that both policies are being
    applied. However, it is the screen saver policy that is "winning". The
    "anti" screen saver policy doesn't override it.

    I would apprecate feedback from anyone who knows more about this than I do
    (which is not loads), as we are desprate to get this to work.

  5. #5
    vikrant Guest
    give a try to utility "Turn Off Monitor" which has a setting to keep system
    actve

    i hope that might be of some use.

    not sure but you may require to run the utility with admin rights

    Try setting the new policy for the laptops as such:
    Number of Seconds to wait to enable the Screen Saver = Enabled at 0 Seconds

  6. #6
    Pam Guest

    RE: ScreenSaver timeout problem via GPO

    I'm not using the loopback, but was trying to implement the whole:

    Administrative Templates
    Control Panel/Display
    Pollicy Setting
    Password protect the screen saver Enabled
    Screen Saver Enabled
    Screen Saver executable name Enabled
    Screen Saver executable name scrnsave.scr

    Policy Setting
    Screen Saver timeout Enabled
    Number of seconds to wait to enable the Screen Saver
    Seconds: 1200

    The timeout would work, but the "password protect the screen saver" would
    not.

    I figured that I had

    Administrative Templates
    System
    Ctrl+Alt+Del Options
    Lock Computer: was enabled

    As soon as I un-enabled this the users started to receive the logon box to
    get back in.

  7. #7
    Pam Guest

    RE: ScreenSaver timeout problem via GPO


    Make sure that
    Administrative Templates
    System
    Ctrl+Alt+Del Options
    Remove Lock Computer

    is not enabled, was stopping the login screen from displaying for users.


  8. #8
    David.Elliott Guest

    RE: ScreenSaver timeout problem via GPO

    Scott7, Did you ever get loopback to work or find out why it did not? I have
    exact same issue, but did not see a resolution on the forum.

  9. #9
    Join Date
    Jan 2011
    Posts
    1

    Re: ScreenSaver timeout problem via GPO

    Hi, on laptop control panel change option of "Power Option/Choose when to turn off the display" to NEVER.

Similar Threads

  1. Applying Windows 7 ScreenSaver Timeout from Group Policy
    By ruchim in forum Windows Security
    Replies: 4
    Last Post: 22-01-2012, 04:27 PM
  2. Replies: 17
    Last Post: 23-06-2011, 11:46 PM
  3. Router Timeout problem
    By Sloane in forum Networking & Security
    Replies: 4
    Last Post: 06-11-2008, 07:00 PM
  4. Force screensaver, timeout and password protect
    By Peach in forum Active Directory
    Replies: 2
    Last Post: 26-02-2008, 03:49 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •