none
Screen Saver GPO being overridden!

    Question

  • Hi All,

    Company I work for didn't have a policy for screen locks... So I tested a GPO with the following:

    User\Configuration\Administrative Templates\Control Panel\Personalization:

    Enable screen saver - enabled

    Password protect the screen saver - enabled

    Prevent changing screen saver - enabled

    Screen saver timeout - enabled - 900 seconds

    Tested fine with my test users on client devices and Citrix. Rolled out to everyone. Started getting a handful of reports where users screens were locking after 1 minute. Pulled the GPO change.

    Upon investigation these users with problems already had the following in their registry hive:

    HKCU\Control Panel\Desktop\

     ScreenSaveActive – 0 (didn't matter if this key was there to be fair)

     ScreenSaverIsSecure – 1 (must be present)

     ScreenSaveTimeOut – 60 (must be present)

     SCRNSAVE.EXE – C:\Windows\system32\scrnsave.scr (must be present)

    When the GPO gets applied, the ScreenSaveTimeOut of 60 was overriding the GPO setting of 900. I find this behaviour truly bizarre. Group Policy is supposed to impose itself on the user? Am I doing something wrong, or is this a bug? GPO puts the keys at HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop - so I would have thought these key values would 'trump' those located at HKCU\Control Panel\Desktop\

    Any thoughts?

    Cheers

    Mark


    • Edited by Marcuspiper Thursday, October 27, 2016 3:35 PM
    Thursday, October 27, 2016 3:19 PM

Answers

  • > less than 15 minute screensavers). Why does the screensaver default to 1
    > minute when a user goes to the screensaver properties anyway? It's not
    > part of the default user profile, nor group policy.
     
    I have absolutely no idea - and I've never seen such behavior before.
    What I would do now: Run process monitor with a filter for
    "ScreenSaveTimeout" and analyze which value is read or written when and
    by what process.
     
    Wednesday, November 2, 2016 7:49 AM

All replies

  • Have you tried running a gpresult on the affected user/computer account? It would help to see what policies are being applied/filtered out.

    Try running gpresult /r from Command Prompt on the user account, or you may also run rsop.msc for an MMC-based review of the applied/filtered policies.

    You can also try generating a Resultant Set of Policy from the server by right clicking the Resultant Set of Policy node on the left pane of Group Policy Management and running through the Group Policy Results Wizard.

    Please reply with anything you find about the applied policies.


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!


    • Edited by Rory Fewell Thursday, October 27, 2016 11:52 PM
    Thursday, October 27, 2016 11:51 PM
  • Hi Mark,
    What came in my mind firstly is to see if there is conflicting policy applied to clients. So I agree with Rory to check the result of your group policy. You could use Group Policy Results wizard on domain controller to help you figure it out.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 28, 2016 5:47 AM
    Moderator
  • RSOP clearly shows the desired policy is in effect with 900 seconds. You can clearly see the reg keys in HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop with 900 seconds, and even in the screensaver window the user sees a greyed out 15 minutes!

    Presuming that as the 60 seconds is less than 900, it is taking the more restrictive number? I'll try manually changing the 60 to 6000 and see which takes effect, the 6000 or the 900...

    Friday, October 28, 2016 12:54 PM
  • What are the power configurations for these machines? Even though they may not be laptops - all comptuers running Windows will have a power configuration that is usually set to Balanced by default, this includes settings for turning off the display after an amount of idle time. If you are running desktops, maybe try creating a power configuration set to High Performance for these computers and see if that fixes things.

    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!


    • Edited by Rory Fewell Friday, October 28, 2016 1:10 PM
    Friday, October 28, 2016 1:09 PM
  • > RSOP clearly shows the desired policy is in effect with 900 seconds. You
     
    Modeling or results report?
     
    > Presuming that as the 60 seconds is less than 900, it is taking the more
    > restrictive number?
     
    No, the policy setting overwrites the "interactive" setting and has
    always done so.
     
    Monday, October 31, 2016 11:51 AM
  • Not got the screenshot available at the moment, but it did show that the correct GPO was making the settings to 900 seconds.

    I've just tested a user account with these initial settings:

    So the above is what a handful of users had configured before the change. I thought I'd try GPP (instead of the Admin Templates policies) to replace these settings to the below while the user was on:

    (uploading more than one picture fails, but the screenshot is the same as above, but with ScreenSaveTimeOut=900, and ScreenSaverIsSecure=1)

    As you can see, the timeout in the registry is altered to 900, and ScreenSaverIsSecure is turned on. Yet if the user goes to the screensaver it displays 1 minute, and not secure. What happens to the user? After 60 seconds the screensaver comes on and then the logon screen is displayed!

    Logoff and back on again and Screensaver then looks as it should, and of course locks the screen after 900 seconds, not 60:

    (uploading more than one picture fails, but the screenshot was of the Screensaver properties, showing a blank screensaver, with 15 minutes and the tick box for "on resume..." ticked)

    In most cases this probably wouldn't concern many people - but it appears to be a bug to me (unforeseen, as most people would not have less than 15 minute screensavers). Why does the screensaver default to 1 minute when a user goes to the screensaver properties anyway? It's not part of the default user profile, nor group policy.


    • Edited by Marcuspiper Monday, October 31, 2016 4:39 PM tried to upload pictures
    Monday, October 31, 2016 4:32 PM
  • > less than 15 minute screensavers). Why does the screensaver default to 1
    > minute when a user goes to the screensaver properties anyway? It's not
    > part of the default user profile, nor group policy.
     
    I have absolutely no idea - and I've never seen such behavior before.
    What I would do now: Run process monitor with a filter for
    "ScreenSaveTimeout" and analyze which value is read or written when and
    by what process.
     
    Wednesday, November 2, 2016 7:49 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, November 7, 2016 8:58 AM
    Moderator