locked
Require password on wakeup need different policy per user RRS feed

  • Question

  • There are two Computer Policies that are Vista or above regarding the password prompt when resuming from sleep (battery & plugged in).

    Computer Config/Policies/AdminTemplates/System/Power Management/Sleep Settings/Require a Password When a Computer Wakes (Battery, Plugged In)

    Those are per machine.  Almost all of our users use several different computers in the day and we have the following problem:

    1)  Staff - should prompt for a password when resuming.

    2) Students - should not prompt for a password when resuming.

    We cannot assign a computer based policy because teachers (staff) use the same computers that students do.  Furthermore, this policy whether it is set enabled or not results in a password prompt when resuming.  We then must set it to disabled to prevent it from requiring a password when resuming but we can't do that because teachers then won't be prompted.

    The User Policy is for XP (Prompt for password on resume from hibernation) and does not apply to Windows 7.

    There is a User GPP dealing with the Power Plans that appears it would allow you to configure this based on who got what policy, however it doesn't override the computer based policy, again if you do nothing the computer policy is set to prompt for a password on resume.

    How can we allow a teacher and a student that use the same computer receive two different options regarding password prompt on resume?


    LPS
    • Moved by Carey FrischMVP Sunday, September 11, 2011 3:11 AM Moved to more appropriate forum category (From:Windows 7 Miscellaneous)
    Saturday, September 10, 2011 6:54 PM

All replies

  • Hi,

    You should delete the Computer Policy, then apply the User GPP for a test.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Tuesday, September 13, 2011 5:59 AM
  • Hi,

    You should delete the Computer Policy, then apply the User GPP for a test.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    We didn't have the computer policy in place initially, we started with just the user gpp power plans for Windows 7, had the student set with Require a password on wakeup = NO, the staff was set to YES.  When the student test user logged in the require a password on wakeup was still set to yes and required elevated privileges to override.  It didn't matter if the GPP was set to Create, Update, or Replace, we also logged in multiple times and did multiple gpupdate /force.  Currently we have the computer policy in place as require a password on wakeup = NO because it's a huge headache for student logins to lock.
    LPS
    Wednesday, September 14, 2011 4:01 AM
  • Hi,

    You need to set the Power Plan as active plan, then check whether you apply this policy to correct user OU. Finally, you should check whether the Power Plan is applied to client.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Juke Chou Tuesday, September 20, 2011 1:33 AM
    • Unmarked as answer by LPS Thursday, September 22, 2011 3:13 AM
    Wednesday, September 14, 2011 5:20 AM
  • Hi,

    You need to set the Power Plan as active plan, then check whether you apply this policy to correct user OU. Finally, you should check whether the Power Plan is applied to client.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”


    The power plan was set active (User Group Policy Preference - Windows 7 not XP Power Plan), it applied as listed in gpresult and when you opened the power control panel it was the default Power Plan as expected, however what wasn't expected was the require password from sleep was set to required when the GPP listed it as not required. 

    It appears that you can't override the require password on wakeup using a user policy/group policy preference, it appears you have to use a computer preference and how do you do that when you need a different plan based on user not computer?  Lets not get into WMI Filters as GPP can do that with item level targeting, however I don't see how I could use either since the computer policy/preference is applied before the user ever logs into the system.  We're also talking about thousands of systems and users not just a small office.

    On Windows XP you had to change permissions on HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg (Use Computer Policy) to allow users to write to those keys and then use powercfg /g OFF /option:resumepassword run as the user to set the resume from standby password state (we did it with login script).  Does Windows 7 have something similar? (http://support.microsoft.com/kb/915160)


    LPS
    • Edited by LPS Thursday, September 22, 2011 3:31 AM
    Thursday, September 22, 2011 3:21 AM
  • Hi,

    If you apply the policy to User OU, this should do the trick.

    Regarding The KB you mentioned. you can try it. Based on my experience, this still works for Windows 7.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Thursday, September 22, 2011 5:30 AM
  • Hi,

    If you apply the policy to User OU, this should do the trick.

    Regarding The KB you mentioned. you can try it. Based on my experience, this still works for Windows 7.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”


    I stated it didn't work in my second post when applying it to the user OU, also mentioned GP Result showed the policy was applied so it was tested, have you actually tested this?  Everything in the User GPP Power Plan gets applied accept for the require password from sleep.

    At this point we're going to disable the prompt via computer policy as that is the lesser of two evils.


    LPS
    Monday, September 26, 2011 9:44 AM