Windows 7 clients not honoring screen saver timeout group policy setting

    General discussion

  • I searched around to see if this had been posted already but no luck. Others seem to have this problem but I have yet to find a workable solution. I believe this post provides one but have only had the opportunity to test on a small number of Windows 7 machines.

    Today I was tasked with creating a GPO that would lock a workstation after 10 minutes of inactivity and require authentication to return access to the Desktop. So I enabled and configured the following policies under "User Configuration\Policies\Administrative Templates\Control Panel\Personalization"

    "Enable Screen saver" to Enabled
    "Prevent changing screen saver" to Enabled
    "Password protect the screen saver" to Enabled
    "Screen saver timeout" to Enabled
    "Force specific screen saver" to Enabled with the executable name "Mystify.scr"

    After running "gpupdate /force" I found that almost all of these settings had been honored except for the timeout. I used the group policy results wizard to confirm that the policy was being applied to the machine but still no dice. After some testing I discovered that it was still using the timeout value that had been configured before I had configured the group policy. So it seemed to be holding on to the old timeout value.

    After some more research I found that there actually two registry keys that set the screen saver timeout value. "HKCU\Control Panel\Desktop\ScreenSaveTimeOut" is the registry entry that's created when a user configures a timeout value manually. "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut" is the registry entry that the group policy sets. When both values are present, the user configured setting seems to take precedence. This seems to only be true for the timeout value (i.e. when I make the values for "SCRNSAVE.EXE" conflict, the group policy configured value takes precedence).

    So my solution to the problem was to simply create a group policy that deletes HKCU\Control Panel\Desktop\ScreenSaveTimeOut. After the workstation is rebooted, the timeout value set by group policy is honored. Again my testing of this solution is limited to handful of Windows 7 workstations, but so far I have not found any adverse effects.

    Wednesday, May 6, 2015 8:07 PM