Lock Computers In Domain Via Group Policy

In this post I will show you how to lock computers in domain via group policy. Using group policy you can lock computers after specific interval of time or after specific duration of inactivity on the computer.

In most organizations the employees are advised to lock their computer before they step away from it. This is because without locking the computer, some one could access it.

With the help of group policy the administrator can define settings to automatically lock the computer after the specified amount of minutes. This will prevent the unauthorized access to the computer even though the employees forget to lock their computers.

Most companies have a branded screen saver that displays their company logo along with company information. In this post I will use a screen saver that comes with windows operating system.

We will configure it in a way that after the inactivity timeout on the computer, the computer gets locked. The screen saver is displayed.

When the user clicks on screen saver, the computer prompts user to enter the credentials to login. Windows server 2008 R2 comes with few inbuilt screen savers, we will be using one of them.

Screen Save location – C:\Windows\WinSxS folder. Navigate to this folder and look for .scr files.

Lock Computers In Domain Via Group Policy-Snap7

Once you have found the screen saver, copy the screen saver file to a shared folder. The clients will pick up the screen saver from this location.

Lock Computers In Domain Via Group Policy-Snap8

Lock Computers In Domain Via Group Policy

Using group policy, we will see how to lock domain computers.

  • Open the Group Policy Management.
  • Right click the domain and click on Create a GPO in this domain and link it here.
  • Provide a name to the policy such as Screensaver Policy and click OK.

Lock Computers In Domain Via Group Policy-Snap1

Right click the Screen saver policy and click Edit.

The Group Policy Management Editor opens in a new window. Now expand User Configuration > Policies > Administrative Templates > Control Panel. Click Personalization. We will configure the policy settings now.

Lock Computers In Domain Via Group Policy-Snap2

First all all let’s deal with screen save timeout setting. Double click on Screen saver timeout policy setting.

Click Enabled to enable this policy setting. Set the time after which the screen saver should appear. In this example I will set the idle time to 60 seconds. Click Apply and OK.
Lock Computers In Domain Via Group Policy-Snap3

Next double click the policy setting Force specific screen saver. This setting if enabled displays the screen saver specified in the policy setting.

Enable this policy and provide the screen saver patch. Click Apply and OK.

Lock Computers In Domain Via Group Policy-Snap4

Double click the setting Enable Screen saver, click Enabled. This setting enables the screen saver. Before you enable this setting you must specify the screen saver executable path and screen saver timeout.

Lock Computers In Domain Via Group Policy-Snap5

Double click the setting Password protect the screen saver and click Enabled. This setting will make all the screen savers password protected.

Using this policy we enable password protection on screen saver. Therefore ensure you have enabled the policy setting Enable screen saver and Screen saver timeout. Click Apply and OK.

Lock Computers In Domain Via Group Policy-Snap6Finally after exactly 60 seconds (Screen saver time out) the screen saver is enabled and the computer is locked.

Need Assistance?

Send us a message or post your question in forums.