In this article we’ll show how to configure automatic screen (session) lock on domain computers or servers using Group Policy. Locking the computer screen when the user is inactive (idle) is an important information security element. The user may forget to lock his desktop (with the keyboard shortcut Win + L) when he needs to leave the workplace for a short time. In this case, any other employee or client who is nearby can access his data. The auto-lock screen policy will fix this flaw. After some time of inactivity (idle), the user’s desktop will be automatically locked, and the user will need to re-enter their domain password to return to the session.
Let’s create and configure a domain Group Policy to manage screen lock options:
- Open the Group Policy Management console (
gpmc.msc), create a new GPO object (LockScreenPolicy) and link it to the domain root (or to the Users OU);
- Edit the policy edit and go to the User Configuration -> Policies -> Administrative Templates -> Control Panel -> Personalization;
- There are some options to manage screen saver and screen lock settings in the GPO section:
- Enable screen saver
- Password protect the screen saver — prompts to enter a password to unlock a computer
- Screen saver timeout – sets time in seconds when a screen saver will be enabled and a computer will be locked if a user is inactive
- Force specific screen saver – you may specify a screen saver file to be used. The most often it is
scrnsave.scr(you can make a slideshow screen saver using GPO) - Prevent changing screen saver – prevents users from changing screen saver settings
- Enable all policies and set a computer idle time in the Screen saver timeout policy. I have entered 300. It means that user sessions will be automatically locked after 5 minutes;
- Wait until the Group Policy settings are updated on the clients or refresh them manually with the command:
gpupdate /force. After the GPO has been applied, screen saver and screen lock settings will be protected from editing in the Windows interface, and user sessions will be locked in 5 minutes of inactivity (to diagnose how the GPO is applied, you can use gpresult tool and the article following this link).
In some cases, you may need to configure different lock policies for different user groups. For example, the screens of office workers should be locked after 10 minutes, and the screens of production or SCADA operators should never be locked. To implement such a strategy, you may use the GPO Security Filtering (see the example with restricting access to USB devices using GPO) or Item Level Targeting in GPP. Let’s study the latter in more detail.
You can configure computer lock settings using the registry instead of GPO, and deploy the corresponding registry settings to users’ computers via GPO. The following registry parameters match the policies discussed above. They are located in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop:
- Password protect the screen saver is a REG_SZ parameter with the name ScreenSaverIsSecure = 1
- Screen saver timeout is a REG_SZ parameter with the name ScreenSaveTimeout = 300
- Force specific screen saver is a REG_SZ parameter with the name ScreenSaveActive = 1 and SCRNSAVE.EXE = scrnsave.scr
Create a domain security group (grp_not-lock-prod) for which you want to disable the screen lock policy and add users to it. Create the registry parameters described above in the corresponding GPO section (User Configuration -> Preferences -> Windows Settings -> Registry). Using Item Level Targeting, set for each parameter that the policy must not be applied for the specific security group (the user is not a member of the security group grp_not-lock-prod).
1 comment
Starting with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting Interactive logon: Machine inactivity limit