I work for a healthcare company, and as such we deal with sensitive information. In order to comply with HIPPA regulations, we need to have all computers in this office time out after 15 minutes of inactivity, and password lock the computer. I also like this rule because users often leave their desk for the day without logging out. Walking by a PC today I noticed that it was not timing out. Let’s troubleshoot why.
First, lets check the policy. Open GPMC through Administrative Tools>Group Policy Management. I already have the policy in effect, but I will tell you how to make a new one and apply it. Drill down Forest>Domains>YourDomain. you will see some items, such as Default Domain Policy, Windows SBS CSE Policy, etc. You will never edit these default policies- always create and link a new policy.
Right click on your domain, and select Create and link a new GPO here. Assign it a name- in this case I name it Screen Saver Time Out. You will see the new policy appear in the list; right click the new policy and select edit.
Expand Policies under User Configurations, and then exapnd Administrative Templates. Expand Control Panel, and then click on Display.
These changes will be applied to all users in your orginizations- which means that any computer that a user log into gets this policy. These are the settings that I enabled:
Hide Screen Saver Tab
Screen Saver Executable Name
Password Protect the Screen Saver
Screen Saver Timeout
If you do not enable most of these, they will not work. A description of what each thing does is listed in the description tab of each item. For timout, I set it to 15 minutes. For the executable name, I set it to logon.scr. This can be different depending on which screensaver you want- make sure that the one you chose exists on all computers in the %windir% directory.
Thats it. Give it 20 minutes to replicate, or go to a warkstation and type gpupdate at the command line. Now lets explor who this applies too.
Exit out of that specific Group Policy, back to the main GPMC window. Highlight the Group Policy you created. On the scope tab, look under Security Filtering. This should list Authenticated Users, which applies this to everyone. In my case, I use security groups to apply this, and one person was missing from a group, which allowed their creen saver to never come on.
To test if this is being applied, we can run a command right from the server. Under the list of GPO’s, click Group Policy Modeling. Right click it and select the Wizard. Click Next, Next. Now select the User Radial Button, and enter the user you want to test (Bob@solace.local). Now click the computer radial button and click the computer you want to test (c5.solace.local). You can go through the next pages if you want, but for most pages you can select the checkbox asking if you want to skip them.
The wizard will display your results. Expand Settings, and drill down to Display again to see if the policy was applied.