none
Custom lock screen GPO not working for domain users

    Question

  • I have a WS2012 standard server with W8 Pro clients. I'm trying to force the lock screen to a .jpg however it's not working, it leaves the users with just a standard blueish screen.

    I have the "force a specific default lock screen image" enabled with the path \\MRS-DC\WP\mrc_lock_screen.jpg

    The GPO is being applied according to the results wizard, however no image. What gives?


    • Edited by demetri90 Wednesday, July 17, 2013 7:49 PM
    Wednesday, July 17, 2013 7:48 PM

Answers

All replies

  • Hi,

    Please refer to the below articles:

    Win8: How to Manage the Lock Screen Image on Windows 8 and Windows Server 2012

    http://support.microsoft.com/kb/2787100

    Here is a similar thread:

    Change default logon/startup/lock screen in windows 8 pro

    http://social.technet.microsoft.com/Forums/windows/en-US/2590f111-7709-40b9-acee-c2aeaa9a48f8/change-default-logonstartuplock-screen-in-windows-8-pro

    In addition, please check your below policy:

    Prevent changing lock screen image under Computer Configuration\Administrative Templates\Control Panel\Personalization

    Disable it and check the result also.

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    Thursday, July 18, 2013 7:13 AM
  • I disabled the "Prevent changing lock screen image", ran a gpupdate on a few different machines and restarted them, same thing. Results wizard shows the GPO being applied.
    Thursday, July 18, 2013 8:55 PM
  • Hi,

    To deploy the new “Force a specific default lock screen image”  GP the following requirements must be met:
    1. The update “Windows 8 and Windows Server 2012 cumulative update: November 2012” must be applied to all Windows 8 and Windows Server 2012 computers that you want to deploy customer lock screen images to. This is required as the Control Panel group policy client side extension must be updated to enforce the group policy
    2. The group policy used to deploy the custom lock screen image must be edited on a machine that has been patched with “Windows 8 and Windows Server 2012 cumulative update: November 2012”

    Have your computer meet the above requirements?

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    Friday, July 19, 2013 3:00 AM
  • 1. The update has been applied on both the server and the workstations

    2. What exactly is being edited in group policy?

    Friday, July 19, 2013 12:10 PM
  • What you may want to consider trying is to copy the lock image to the users devices (maybe with your login script) then point to the local location?

    Perhaps copy it to %systemroot% from your network share, then point the GPO to the local location.  By using something like %systemroot%, you *know* every PC is going to have that location (after all, it should be the Windows directory) and every PC *will* have access to it, as will every user of a PC.

    Jason


    Jason A.

    Friday, July 19, 2013 1:08 PM
  • I don't have a bunch of experience scripting. But would this suffice? Would saving it as a .txt file work?

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    
    ' Source file.
    strSource = "\\MRS-DC\WP\mrc_lock_screen.jpg"
    
    ' Target location.
    strTarget = "%systemroot%"
    
    ' Copy file.
    objFSO.CopyFile strSource, strTarget, True

    Friday, July 19, 2013 1:40 PM
  • While you potentially could save a script (say a VBScript) with a txt extension and explicitly call it (something like cscript myscript.txt) that can be confusing.  Generally you're better off using the "normal" extension for the language (so .vbs for VBScript, .ps1 for Powershell)

    The code you posted looks like Powershell?  If so, it should work, although (I just realized) you may run into issues copying into the \windows directory with UAC and the like.  Best option, pick a user and use them as your test vicitm for the script, see if it works when they run it.  If so, then look at making it part of your domain login script and test again...

    Jason


    Jason A.

    Friday, July 19, 2013 1:50 PM
  • Yeah, using the Powershell ISE, I'm getting code errors, I know nothing about the syntax of Powershell.
    Friday, July 19, 2013 1:59 PM
  • Kind of annoying though that we have to resort to using powershell scripts to achieve this.
    Friday, July 19, 2013 2:09 PM
  • Thinking about it, you could just fall back on a DOS batch file.

    Something along the lines of:

    @echo off
    copy \\MRS-DC\WP\mrc_lock_screen.jpg %systemroot%

    ought to do it.

    As for the scripting, it's never going to go away, there's too many things you can do with it in ways that you can't do with GPOs...


    Jason A.

    Friday, July 19, 2013 2:14 PM
  • I've been trying to create a script, but I'm getting permissions issues. That batch script has the same problem I run into, Access denied.
    Friday, July 19, 2013 2:37 PM
  • Yeah, sounds like the UAC stuff.  MS beefed up the protection of the \windows directory.  You may want to go with creating a folder on the root of the OS drive, and save the image there.

    You could try this with the batch file:

    @echo off
    %systemdrive%
    cd\
    md lockimage
    cd lockimage
    copy \\MRS-DC\WP\mrc_lock_screen.jpg .\


    Jason A.

    Friday, July 19, 2013 2:58 PM
  • I made a powershell script that works, copying the .jpg to the users documents folder doesn't require UAC. However for some reason my script doesn't want to run at startup for some reason in this GPO.
    Friday, July 19, 2013 3:18 PM
  • Cool!

    When a GPO is applied to some extent depends on the type of GPO.  If the settings are in the "User" section of a GPO, someone needs to login before those settings will apply.  If it's in the "Computer" section, then it will apply before login (but most times scripts that are here {and I'm not sure you can set up a script here} would fail, as the *computer* account probably wouldn't have access to the share)

    Generally, I think the best place to put a script like your image copy would be in the "Login script" section for each user.  Sure, the first time someone logs in, they won't have the right image, but that's one of those things you just need to put up with...

    Congrats!

    Jason


    Jason A.

    Friday, July 19, 2013 4:12 PM
  • Still having trouble, I assigned the script to the login policy in my GPO, it's being shown as applied, however doesn't say when the script was last run under the results wizard.

    It would be nice not to have to deal with the scripting part in the first place. What's the point of a policy if it doesn't work?

    Friday, July 19, 2013 5:19 PM
  • Got it working, put the image in the sysvol folder. Works fine now.
    Monday, July 29, 2013 9:35 PM