In this post, we’ll show you how to use Group Policy to setup automatic screen (session) lock on domain workstations and servers. An important aspect of information security is locking the computer screen when the user is inactive (idle). When the user needs to leave the office for a short time, he may forget to lock his desktop (using the keyboard shortcut Win + L).
In this circumstance, every adjacent employee or client has access to his information. This problem will be fixed by enforcing the auto-lock screen policy. The user’s desktop will be automatically locked after a period of inactivity (idle), and the user will need to re-enter their domain password to return to the session.
To handle screen lock settings, let’s build and set a domain Group Policy:
Create a new GPO object (LockScreenPolicy) and link it to the domain root (or the Users OU) in the Group Policy Management console (gpmc.msc).
In the Screen saver timeout policy, enable all rules and set a computer idle time. I’ve input the number 300. It means that after 5 minutes, user sessions will be automatically locked.
You may need to set up various lock policies for various user groups in some circumstances. For example, office workers’ screens should be locked after 10 minutes, but production or operators’ screens should never be locked. You can use GPO Security Filtering or Item Level Targeting in GPP to implement such a strategy. Let’s take a closer look at the latter.
Instead of utilising GPO, you can utilise the registry to configure computer lock settings and then GPO to deploy the registry settings to users’ computers. The registry settings listed below correspond to the policies mentioned above. They can be found in the
A REG SZ option named ScreenSaverIsSecure = is used to protect the screen saver with a password.
ScreenSaveTimeout = 300 is a REG SZ parameter for the screen saver timeout.
ScreenSaveActive = 1 and SCRNSAVE.EXE = scrnsave.scr are REG SZ parameters that force a certain screen saver.
To disable the screen lock policy, create a domain security group (grp not-lock-prod) and add users to it. In the applicable GPO area (User Configuration -> Preferences -> Windows Settings -> Registry), create the registry parameters specified above. Set the policy not to apply for the specific security group for each parameter using Item Level Targeting.
You’ll also need to add four more registry parameters with the value REG SZ 0 to force the group grp not-lock-prod to disable
At Velan, our server support engineers can manage group policy on your server. If you are interested in our service, please fill the Quick connect form to get in touch with us.