Lock Computers In Domain Via Group Policy

In this post I will show you how to lock computers in domain via group policy. Using group policy you can lock computers after specific interval of time or after specific duration of inactivity on the computer.

In most organizations the employees are advised to lock their computer before they step away from it. This is because without locking the computer, some one could access it.

With the help of group policy the administrator can define settings to automatically lock the computer after the specified amount of minutes. This will prevent the unauthorized access to the computer even though the employees forget to lock their computers.

Most companies have a branded screen saver that displays their company logo along with company information. In this post I will use a screen saver that comes with windows operating system.

We will configure it in a way that after the inactivity timeout on the computer, the computer gets locked. The screen saver is displayed.

When the user clicks on screen saver, the computer prompts user to enter the credentials to login. Windows server 2008 R2 comes with few inbuilt screen savers, we will be using one of them.

Screen Save location – C:\Windows\WinSxS folder. Navigate to this folder and look for .scr files.

Lock Computers In Domain Via Group Policy-Snap7

Once you have found the screen saver, copy the screen saver file to a shared folder. The clients will pick up the screen saver from this location.

Lock Computers In Domain Via Group Policy-Snap8

Lock Computers In Domain Via Group Policy

Using group policy, we will see how to lock domain computers.

  • Open the Group Policy Management.
  • Right click the domain and click on Create a GPO in this domain and link it here.
  • Provide a name to the policy such as Screensaver Policy and click OK.

Lock Computers In Domain Via Group Policy-Snap1

Right click the Screen saver policy and click Edit.

The Group Policy Management Editor opens in a new window. Now expand User Configuration > Policies > Administrative Templates > Control Panel. Click Personalization. We will configure the policy settings now.

Lock Computers In Domain Via Group Policy-Snap2

First all all let’s deal with screen save timeout setting. Double click on Screen saver timeout policy setting.

Click Enabled to enable this policy setting. Set the time after which the screen saver should appear. In this example I will set the idle time to 60 seconds. Click Apply and OK.
Lock Computers In Domain Via Group Policy-Snap3

Next double click the policy setting Force specific screen saver. This setting if enabled displays the screen saver specified in the policy setting.

Enable this policy and provide the screen saver patch. Click Apply and OK.

Lock Computers In Domain Via Group Policy-Snap4

Double click the setting Enable Screen saver, click Enabled. This setting enables the screen saver. Before you enable this setting you must specify the screen saver executable path and screen saver timeout.

Lock Computers In Domain Via Group Policy-Snap5

Double click the setting Password protect the screen saver and click Enabled. This setting will make all the screen savers password protected.

Using this policy we enable password protection on screen saver. Therefore ensure you have enabled the policy setting Enable screen saver and Screen saver timeout. Click Apply and OK.

Lock Computers In Domain Via Group Policy-Snap6Finally after exactly 60 seconds (Screen saver time out) the screen saver is enabled and the computer is locked.

Related Posts

37
Leave a Reply

avatar
23 Comment threads
14 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
newest oldest most voted
Mokshith
Guest
Mokshith

Hi Prajwal,

Can we do this using sccm by creating a configuration item and baseline

debdas sardar
Guest
debdas sardar

Personalization not found in GPO 2008r2

Lily
Guest
Lily

I am using windows server 2008 R2 standard. i have done all of the above and it did not work.
i have also run gpupdate /force and gpresult /r on the client. The policy is listed but it did not lock after 60secs.
Pls assist.

Nick
Guest
Nick

These instructions are out of date and do not work in Server 2012 R2 environments. The descriptions for many of the above settings in fact begin with “This setting is obselete and will not be available in the future (not reflected in your screenshots above). Use such_and_such policy instead.” Unfortunately the referenced policies have a different purpose and cannot be used to lock the screen after X minutes of inactivity. Can you provide updated instructions applicable to Server 2012 R2 / 2016 with Windows 7 & 10 clients to accomplish the same? Thanks.

Ramesh
Guest
Ramesh

Hi There, is it also possible to combine two jpg files into one and use it as a screen saver. Thanks

Nazir Shah
Guest
Nazir Shah

Your posts are always awesome..Here is my case I have applied the policy successfully. Screen saver starts after 4 mins. but I don’t want the screen lock at the same time. I removed “require a password to unlock” in order to leave it on and I enabled “Interactive logon: Machine inactivity limit”. to 10 mins Now screen saver is working but it never locks the computer. I need it to start the screen saver after 4 mins and if user touches the mouse or keyboard til 10 min it should not ask for password but if he touches after 10… Read more »

Amol bagal
Guest
Amol bagal

I have lab of 50 machine I want to lock the screen of all 50 machine during the theory session and again unlock the same during the practical session. the theory and practical session goes on simultaneously

Nick Cappello
Guest
Nick Cappello

Prajwal, I love the ease in the way you did this, but is there a way to also lock the users out from being able to set their own timeouts via GPO?

Frank Garufi Jr.
Guest
Frank Garufi Jr.

Hi Prajwal… Can you tell me if this would also apply to Windows 10 or is there a different method for doing the same thing?

James Vincent
Member
James Vincent

You could create a GPO and configure the settings to lock computers. Apply this GPO to specific OU’s. You could exclude them from OU (computers) where you don’t want this policy to be applied.

Amit
Guest
Amit

I tried this but the lock computers settings are part of the user configuration and not within computer configuration.
So, we have this GPO that is applied to our domain with security filtering of authenticated users. I have added computers that do not need the lock policy to an OU and have also enabled this GPO on this OU but i have enabled loop back processing with merge mode enabled. I am hoping that this works in excluding these computers. is this the right approach?

Amit
Guest
Amit

Hi Prajwal, this is working as you have described above. However, we have a need to disable this screen lock feature on a few selected PC’s in our environment. How can we accomplish this using this GPO. thanks for your help.

Amit
Guest
Amit

Hi Prajwal, I have set this up as you have shown in your post above, and its working as configured. However, we have a need for a few computers to not exhibit this screensaver locking feature. What changes do i need to make in order to make sure that these set of computers do not lock every 30 minutes. Please advise. Your input is much appreciated. Thanks again.

John
Guest
John

I have an AD policy to lock the screen on a workstation and when it invokes rundll32 user32.dll,LockWorkstation there is a ding or windows startup like sound (Windows 7) when the screen locks. Is there anyway thru policy to turn off just that sound?

James Vincent
Member
James Vincent

Hi John, those are the sounds defined by Microsoft when an event happens, they differ on the Themes that you install . Those settings can be found under Control Panel > Sound. I am not aware of any policy that can disable this setting on group of computers.

John
Guest
John

I have an AD policy to lock the screen on a workstation and when it invokes rundll32 user32.dll,LockWorkstation there is a ding or windows startup like sound (Windows 7) when the screen locks. Is there anyway thru policy to turn off just that sound?

Daniel Nitecki
Guest
Daniel Nitecki

Thanks for the info, your site is very helpful.
However, you should really look in to however you’re monetizing as the vast majority of the ads I’m getting are spammy, at best – Lots of fake “Update Required” type stuff…

James Vincent
Member
James Vincent

@Daniel – The ads are bidvertiser ads and I have checked with them on this and they have confirmed that ads are harmless.

Jerry Cabrera
Guest
Jerry Cabrera

Having a similar issue to Shy, where as we have set GP to 130 minutes but it locks after 2 minutes of inactivity.

Léon Lamothe
Guest
Léon Lamothe

the setting is in seconds… 130 seconds = 2 minutes

Shy
Guest
Shy

Dear Prajwal i configured like this but my all users pcs are locking after 30 second and i set the timing of 120 second. i restarted the server and user pc also but still same problem
now i remove all the configuration but still pcs are locking after 30 second please help me
i am waiting for your reply please reply me ASAP.

Thanks in advance

Jerry Cabrera
Guest
Jerry Cabrera

I am having a similar issue, I have ours set to 130 minutes but it locks after 2 minutes of inactivity. were you able to find any answers?

Mohan
Guest
Mohan

Can we do deploy screen saver through SCCM.

OZZIE
Guest
OZZIE

Thanks PD.

i am trying to apply on a computer OU..specific computer. it is not getting applied.

Any suggestion.

Alex
Guest
Alex

If you’re applying user settings to a computer OU, you’ll need to enable group policy loopback processing

Jeff
Guest
Jeff

Thanks for the directions, they worked great!

Is there a way to have this overwrite a computer that previously had a lockout time? For example, mine was previously set to 1 minute which still locks out at 1 minute even though the GPO changed the setting to 5 minutes.

SUSHIL KUMAR
Guest
SUSHIL KUMAR

Thanks a lot this suggestion.

i need one help more and that is how to give printer to all user from server. I mean when user login they get the printer which is instaled in server.

Thanks.

Anil yadav
Guest
Anil yadav

Hi Prajwal,

Really helpfull to me and many thanks for your support and contribution.

THNKS ONCE AGAIN.

Karthik
Guest
Karthik

Thank you..I’m new to server and AD..Started learning SCCM..I’m impressed with your dedication,knowledge and contribution to people.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More