none
Wanted: How To Set Screen Saver Grace Period in Windows 7

    Question

  • I hope someone can help me.

    I am trying to set the Screen Saver Grace Period in Windows 7.

    For those that are unaware...The Screen Saver Grace Period specifies the delay between the appearance of a password-protected screen saver and the enforcement of the password requirement.

    Other Windows operating systems have used the following registry key...

         HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod : REG_SZ

    Microsoft's documentation incorrects states that this registry value should be of type REG_DWORD.

    Regardless, I have tried both and neither work.  I have also tried "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" and that doesn't work either.

    Does anyone have this working?

    Out of interest we use Windows 7 Enterprise (with a mixture of 32-bit and 64-bit operating systems).

    Lee
    Monday, December 14, 2009 1:59 PM

All replies

  • Hi Lee,

    First, please let us know if you have joined your computer domain yet. If you have joined in your company domain, you may not able to change the grace period due to the domain policy settings. You can test a clean WIndows 7 operating system.

    As my test, I can set the Grace period after add the following registry entry.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    then Double-click ScreenSaverGracePeriod, and then enter a number in the Value data box that represents the password activation delay in seconds.

    I hope this can help you.

     


    John
    • Proposed as answer by Vivian Xing Thursday, December 17, 2009 9:18 AM
    • Unproposed as answer by Lee Wilmott Thursday, December 17, 2009 6:13 PM
    Tuesday, December 15, 2009 9:10 AM
  • Hi John,

    Many thanks for your reply.

    In light of your email, I removed a workstation from the domain (Windows 7 Enterprise x86) and added the following registry key...

         HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod : REG_SZ : 12

    ...I then tested it.  It worked, exactly how it is intended.

    [Incidentally, I found that a default install does not have this registry setting by default - you must create this registry entry]

    I then added my workstation back into the Domain and the ScreenSaverGracePeriod no longer works!!

    So, one would assume that there is a policy that is overriding my setting...but I cannot find it.

    I do have a policy that specifies the screensaver, the timeouts, prevents changing the screensaver...etc...But surely this shouldn't effect the grace period.

    Do you, or anyone else, have any idea where this policy is, or how to set the "ScreenSaverGracePeriod" for a workstation that is in a domain?

    Many thanks,

    Lee
    Tuesday, December 15, 2009 1:28 PM
  • Hi Lee,

    I am glad to hear it works after removing your computer from the Domain.

    As your request, it's better to contact your domain administrator to inquire which kind of policy they have set. Since most domain setting is different from the local setting, and the setting just can be modified by the domain administrator.

    I hope this help you.


      
    John
    Wednesday, December 16, 2009 10:10 AM
  • Hi John,

    Once again, many thanks for your post.

    Anyway, I 'am' the Domain Administrator!  I have set all the Domain policies!  Although I remember setting the Screen Saver Grace Period in the past - I do not remember it being a 'policy'.

    I have looked at the Resultant Set of Policies and I can't see anything that specifies the Screen Saver Grace Period.

    I have looked through all the Policy Definition Files (ADM and ADML) and I can't see 'anything' that specifies the Screen Saver Grace Period in there either!

    What I would like to know is...from my testing it appears as though the Screen Saver Grace Period does not work when a Windows 7 workstation is added to a domain.

    Has anyone, including yourself, managed to get the Screen Saver Grace Period working on a Windows 7 workstation that is in a domain...if so, what are you doing differently to me?!?!?!

    Lee
    Thursday, December 17, 2009 6:01 PM

  • hi there, since the screensaver grace period is allowed for user movement before the screen saver lock takes effect. If you set the grace period, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect.

    Generally, domain GP will enforces a password protected screensaver and yes, there is no GP settings you can modify. If you would like to try to apply this setting manually (actually, there might be a workaround), you can use the following methods to import the HKLM REG_SZ value:

    1. Use GPPs(Group Policy Preferences) to add the Registry value
    2. Add a startup script to import registry key(computer level: HKEY_LOCAL_MACHINE)

    PS: I do not have test it yet, and I strongly recommended you do not apply this setting in domain since it will cause potential security problem.

    Friday, December 18, 2009 10:21 AM
  • Gordon,

    I appreciate your concern...I understand the risk; obviously the risk is increased the greater the delay before the password is enforced.  I only wish to have a delay of 2-3 seconds so that entry of the password is avoided if, for example, the screen saver begins while you are reading a document.  Either way, I accept the risks involved.

    Anyway, that aside...

    I seem to be having trouble getting across what the problem is...

    I know how to create Group Policy Preference entries...I know how to modify the registry...I know how to automate this process too...

    What I'm having a problem with is enabling the Screen Saver Grace Period on a Windows 7 workstation that is a member of our domain.  If I set the Screen Saver Grace Period registry key (as specified in my earlier post), then it WORKS when the workstation is NOT a member of our domain (ie. in a WORKGROUP) and DOESN'T work when the workstation IS a member of our domain.

    I am not aware of, nor can I find any Group Policy setting in our domain that overrides these settings.

    Lee
    Friday, December 18, 2009 4:15 PM
  • 1. Have you logon with a normal domain account to check the regitry value?
    2. How exact you do to import the value? Any permission issue?

    PS: I'm afraid that there is no Group Policy setting in domain that can overrides this setting.
    Saturday, December 19, 2009 11:23 AM
  • Lee, I am having the exact issue you are and have NOT figured out how to set the grace period.  All of my XP and Vista machines are fine but every Windows 7 machine goes straight to the password-protected screensaver immediately.  It's killing me!  I'm going to keep looking and I'll post back if I figure it out.
    Tuesday, January 26, 2010 7:08 PM
  • TheWeez,

    I believe I have sorted this issue.  I can't tell you exactly what the problem is, but I can give you all the information I have!

    We were/are using a customised screen saver - one that our company has created.  The only explanation I can give is that there 'appeared' to be 'something' wrong with it.  We re-created the screen saver and the problem has now been resolved.

    I have not needed to deploy the "ScreenSaverGracePeriod" registry settings to any of our Windows 7 workstations, because it seems to be enabled by default (even though this registry setting does not exist in Windows 7).

    ASSUMPTION WARNING

    I 'guess' you can still use the "ScreenSaverGracePeriod" registry setting to change the timeout period.  If this registry key doesn't exist then I assume the default period is used.  'Perhaps' a value of "0" disables this feature!

    Lee
    Friday, February 05, 2010 10:34 AM
  • I had this problem with Windows 7 on a domain-joined computer. The problem was resolved by modifying the screen saver selection from "(none)" to a valid screensaver "blank". Perhaps the logic is that if there is no screensaver selected, then there is nothing to which to apply the grace period.

    Additional detail is that in my environment the screensaver selection was locked down by GPO setting to "logon.scr". The executable for the "blank" screensaver in Windows 7 is "scrnsave.scr". The "logon.scr" file does not exist in our image of Windows 7. Since Windows could not find logon.scr it chose "(none)". The GPO setting is at User Configuration | Policies | Administrative Templates | Control Panel | Personalization | Force specific screen saver.

    Chris

    Thursday, December 09, 2010 5:50 PM
  • I had this problem with Windows 7 on a domain-joined computer. The problem was resolved by modifying the screen saver selection from "(none)" to a valid screensaver "blank". Perhaps the logic is that if there is no screensaver selected, then there is nothing to which to apply the grace period.

    Additional detail is that in my environment the screensaver selection was locked down by GPO setting to "logon.scr". The executable for the "blank" screensaver in Windows 7 is "scrnsave.scr". The "logon.scr" file does not exist in our image of Windows 7. Since Windows could not find logon.scr it chose "(none)". The GPO setting is at User Configuration | Policies | Administrative Templates | Control Panel | Personalization | Force specific screen saver.

    Chris

    Thanks.    Changing my screen saver from "none" to "blank" fixed my problem (along with adding the registry key).

    Alan

    Thursday, December 30, 2010 1:59 AM
  • Did you ever try setting your Grace Period to more than 60 seconds? My users have requested 10 minutes.. I know it's not recommended, but I'm testing it and can not get the grace period to be any more than 60 seconds. I've tested 90, 120, 3600 the all implement lock screen at 60 seconds.

    I am on a domain, and have tested on and off the domain. Windows 7 x64 SP1, Office 2007, All Updates applied.

    Monday, December 12, 2011 8:54 PM
  • hello,

    thanks to you all for your help on this.

    I looked at my screensaver gpo and noticed ssstars.scr was specified so I copied ssstars.scr from a windows xp pc on my domain to the windows 7 pc. Whilst on the windows 7 pc it now states "none" when opening the personalization screen, when opening the screensaver option, the stars screensaver appeared and the grace period worked which saved me from having to edit my gpo.

    thanks



    • Edited by pnc2012 Friday, March 09, 2012 10:43 AM
    Friday, March 09, 2012 10:42 AM
  • What is your grace period set to? I have been un-successfull to set it higer than 60 seconds.
    • Proposed as answer by dgrothe Thursday, June 28, 2012 12:27 AM
    • Unproposed as answer by dgrothe Thursday, June 28, 2012 12:27 AM
    Friday, March 09, 2012 4:26 PM
  • What is your grace period set to? I have been un-successfull to set it higer than 60 seconds.

    This is a known error: http://support.microsoft.com/kb/2685088

    • Proposed as answer by LinnCounty Thursday, June 28, 2012 4:26 PM
    Thursday, June 28, 2012 12:28 AM
  • Alright!!! Thank you for finally fixing this MS.. This makes me very happy, and my desktops will become more secure because of this.

    I know it seems like less secure, but compared to not enforceing a locked desktop this is much better!

    Thursday, June 28, 2012 4:27 PM