In this article, you’ll learn how to lock domain computers with a screensaver using group policy (GPO). Using a GPO, you can lock computers after a specific interval of time or after a specific duration of inactivity on the computer and force a screensaver.
Before leaving their desks, employees in most companies are instructed to lock their computers in order to prevent unauthorized access. This is due to the fact that if the computer was not locked, unauthorized users could use it. If the employees forget to lock their computers, the system administrator can enforce a GPO to lock the computers automatically.
Most organizations prefer to use a branded screen saver that displays their company logo along with company information. However, it is possible that some companies do not have their own unique screensaver. If this is the case, you can make use of the screensavers that come pre-installed with the Windows operating system.
In this article, we will demonstrate how a GPO can help you lock computers in a domain and activate a screensaver after a specified amount of time. We will configure it so that after the computer’s inactivity timeout, it will be locked and the screen saver will appear.
Before you read further, take a look at some useful guides related to Group Policy:
- Disable Pause Updates using Intune | Group Policy (GPO)
- 4 Ways to Disable Driver Signature Enforcement in Windows 11
- How to Rename Administrator Account using GPO (Group Policy)
- Hide the Task View Button using Group Policy
- Prevent Changes to Taskbar and Start Menu Settings using GPO
Screensavers for Domain Computers
The Microsoft Server operating systems come preinstalled with a few fundamental screensavers that cannot be customized but can be used with a Group Policy Object (GPO). If your company has a branded screensaver, you can use it and assign it to your domain computers.
It is important to keep in mind that the screensaver will not activate unless the computer has been inactive for a predetermined amount of time. This is also known as system idle timeout, the duration for which the computer remains idle. You can increase the idle timeout before the lock screen appears or the computer goes to sleep.
In this article, we will choose a preinstalled screensaver from Windows Server and apply it to our domain computers. The screensaver GPO will do the trick. On the Windows Server, the screensavers are located in C:\Windows\WinSxS folder. Navigate to this folder path to access all the preinstalled screensavers. If you have trouble finding them, use the search box to locate the files with the .scr extension.
Once you have finalized the screensaver, copy the screensaver file to a shared folder or a folder path that is accessible to domain computers. This is important because the clients will pick up the screen saver from this location, as defined in the screensaver GPO.
Lock Domain Computers with Screensaver using GPO
We will now go through the steps to lock domain computers and apply a screensaver using group policy. You can create the GPO on a domain controller or a computer installed with GPMC.
- Launch the Group Policy Management console.
- Right-click the domain and click on Create a GPO in this domain and link it here.
- Specify the GPO name, such as Screensaver Policy, and click OK.
Right-click the Screen saver policy and select Edit. The Group Policy Management Editor launches now. In the GPMC editor, navigate to the following path: User Configuration > Policies > Administrative Templates > Control Panel and choose the Personalization folder. This is the place where all the GPO related to screensavers are located.
Configure Screen Saver Timeout
The first group policy setting that we configure is the screen saver timeout. This policy specifies how much user idle time must elapse before the screen saver is launched. The idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If you set the value 0, the screen saver will not start.
To configure this setting, right-click Screen saver timeout policy setting and select Edit. To enable this policy, select Enabled. Specify the number of seconds to wait to enable the screen saver. In the screenshot below, we have set the idle time of 60 seconds to display the screen saver. Click Apply and OK.
Force Specific Screen Saver
The next policy that will be configured is “Force Specific Screen Saver“. This policy specifies the screen saver for the user’s desktop. To enable this setting, right-click the Force Specific Screen Saver setting and select Edit. Enable this policy and specify the name of the file that contains the screen saver. You must specify the folder path where you have placed the screensaver. Click Apply and OK.
Enable Screen Saver for Domain Computers
After you have specified the screen saver location in the above step, the next policy setting thing that you must configure is “Enable Screen Saver” for your domain computers. Before you enable this setting, you must specify the screen saver executable path and screen saver timeout. Enabling the policy will turn the screen saver on domain computers and applies the screen saver from the specified location.
Double-click the setting “Enable Screen saver“, and select Enabled. This setting enables the screen saver on AD domain computers.
Configure Password Protect the screen saver
To protect your screensaver with a password, you can configure the policy “Password protect the screen saver“. Double-click the setting Password protect the screen saver and select Enabled. This setting will make all the screen savers password protected. Using this policy we enable password protection on screen saver. Therefore, ensure you have enabled the policy setting Enable screen saver and Screen saver timeout. Click Apply and OK.
End User Experience: Lock Domain Computers with Screensaver
After the group policy has been applied to the domain computers, it’s time to update the group policy on the client computers and check to see if the screensaver is displayed after idle timeout. You can use multiple ways to perform the group policy update on remote computers. On a test client machine, you can manually perform the group policy update by running the gpupdate /force command.
Finally, after exactly 60 seconds (Screen saver time out) the screen saver is enabled and the computer is locked.