Asked by:
Glitches in Windows 7 screensaver timeout settings

Question
-
Hello all,
Cross-posting by request from the security forum (http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/5e15d5d6-b76f-4939-aa9d-feb4c3f1a009?prof=required).
I have a problem similar to the later posts in http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/3cf199a1-5f4b-4045-8394-d64e44a741a2/, but that question was marked as answered and I'm not sure anyone's looking at it. I have found screensaver/locking settings in Win7 to be a bit glitchy, and I was hoping to get feedback on whether this was a known problem.
My environment contains XP and Win7 workstations in a domain at 2003 functional level (there are a mix of 2003 and 2008 R2 DCs). I am trying to set a 15 minute screensaver-and-lock-workstation timeout, so I created a GPO and set "Enabled screen saver", "Password protect the screen saver", and "Screen saver timeout" (900 seconds). I didn't force a specific screen saver. The policy is linked to the user OU and filtered to the correct test users, and the appropriate screensaver settings show up as disabled on the clients once the policy is applied, but the Win7 computers seem to remember the settings they had before. For instance, I set my screensaver to apply after 1 minute, then I added myself to the policy and ran gpupdate /force. I saw the value in the "Wait X minutes" box in the screen saver dialog was now 15 (and disabled, so I couldn't change it in the UI), but my machine still locks after one minute. I think the policy works as expected on XP, but I haven't been able to verify that yet. Forcing a specific screen saver doesn't seem to make a difference.
Can anyone shed light on why the Win7 screensaver settings aren't behaving themselves? Is it a problem with the GPO or with Win7? I would appreciate any input. And sorry if this is considered a double post; I just wanted to make sure someone saw it as a different problem, since the marked solution in the other thread is irrelevant for me.
Friday, September 30, 2011 2:54 PM
All replies
-
Hi,
Please run RSOP.MSC on Windows 7 PC and check the screensaver setting area and make sure it shows 15mins. Secondly is it happening with all the Windows 7 PC's or few, because we have the same settings in our environment it works fine. There is no such restriction in Windows 7.
Friday, September 30, 2011 4:52 PM -
The screensaver setting does show 15 minutes, and RSOP says the correct setting from the policy is being applied. Since the policy is still in test mode, it's only applied to a few users/computers, and I can reproduce the problem on two of them--the other win7 users are out of the office and I can't ask them to check.Friday, September 30, 2011 7:46 PM
-
could u pls post "gpresult /z" ?
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise AdminFriday, September 30, 2011 8:28 PM -
Hi,
did you create and link the policy using GPMC on an old (XP/2003) or new (W7/08R2) machine?
In a mixed environment, I found it more consistent/predictable to always use the latest (even when configuring for older targets).
(editing GP on 2003 for a W7 target, caused a heap of ugliness for us.)
DonFriday, September 30, 2011 11:26 PM -
In addition,Keep remember? Link Order – the precedence order for GPOs linked to a given container. The GPO link with Link Order of 1 has highest precedence on that container.? Block Inheritance – the ability to prevent an OU or domain from inheriting GPOs from any of its parent container. Note that Enforced GPO links will always be inherited.? Enforcement – (previously known as “No Override”) the ability to specify that a GPO should take precedence over any GPOs that are linked to child containers. Enforcing a GPO link works by moving that GPO to the end of the processing order.? Link Status – determines if a given GPO link is processed or not for the container to which it is linked.? GPO Slow link detection problem(http://grouppolicy.editme.com/SlowLinks).See the below link.http://technet.microsoft.com/en-us/library/cc739343(WS.10).aspx
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise AdminSaturday, October 1, 2011 7:49 AM -
Hi,
Please check the value of ScreenSaveTimeOut under HKCU\Control Panel\Desktop if it is 15 mins or 1 min. The value shows there is in seconds
Saturday, October 1, 2011 8:17 AM -
Thanks for the replies.
>did you create and link the policy using GPMC on an old (XP/2003) or new (W7/08R2) machine?
Policy was created and linked on a 2008R2 DC.
Regarding the link order/block inheritance comment, the screensaver policy is not enforced. The only other policy on that OU is enforced, but it doesn't have screensaver settings configured, and if I understand enforcement correctly it doesn't override enabled/disabled settings with a setting of not-configured.
>Please check the value of ScreenSaveTimeOut under HKCU\Control Panel\Desktop if it is 15 mins or 1 min. The value shows there is in seconds
This value is still 1 minute. However, the GUI interface shows 15 minutes and is disabled as if the policy were in effect, and the key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop also shows 15 minutes.
> could u pls post "gpresult /z" ?
Here's the administrative template section of gpresult /z for one of the affected users.
Administrative Templates
------------------------
GPO: TEST Company Users
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
Value: 49, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess
State: disabled
GPO: Default Domain Policy
KeyName: Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOffline
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
KeyName: Software\Policies\Microsoft\Windows\NetCache\NoCacheViewer
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
KeyName: Software\Policies\Microsoft\Windows\NetCache\NoConfigCache
State: disabled
GPO: Default Domain Policy
KeyName: Software\Policies\Microsoft\Windows\NetCache\SyncAtLogoff
Value: 0, 0, 0, 0
State: Enabled
GPO: TEST Company Users
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE
Value: 115, 0, 99, 0, 114, 0, 110, 0, 115, 0, 97, 0, 118, 0, 101, 0, 46, 0, 115, 0, 99, 0, 114, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
KeyName: Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Value: 1, 0, 0, 0
State: Enabled
GPO: TEST Company Users
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
Value: 57, 0, 48, 0, 48, 0, 0, 0
State: Enabled
GPO: TEST Company Users
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
Value: 49, 0, 0, 0
State: Enabled
Monday, October 3, 2011 3:45 PM -
>Please check the value of ScreenSaveTimeOut under HKCU\Control Panel\Desktop if it is 15 mins or 1 min. The value shows there is in seconds
This value is still 1 minute. However, the GUI interface shows 15 minutes and is disabled as if the policy were in effect, and the key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop also shows 15 minutes.
Hi,Can you please manually change the value of HKCU\Control Panel\Desktop\ScreenSaveTimeOut to 15 mins and see if the screensaver works properly. If it works then we can plan for reflecting the proper values
- Proposed as answer by bshwjt Tuesday, October 4, 2011 7:18 AM
Tuesday, October 4, 2011 7:17 AM -
Awesome, Sukhi.
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise AdminTuesday, October 4, 2011 7:18 AM -
I manually changed the value of HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverTimeout to 900, but the screensaver still kicks in after 60 seconds.Tuesday, October 4, 2011 2:23 PM
-
I logged onto a freshly built computer and noted that the settings under HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop showed the proper policy values, but the settings under HKCU\Control Panel\Desktop\ did not match them--the only setting that existed in HKCU\Control Panel\Desktop was ScreenSaverActive.
If it makes a difference, the user profiles are local rather than roaming.
Wednesday, October 5, 2011 8:31 PM -
Hi,
I would like to confirm that if this issue occurs on all the Windows 7 clients or only one client?
I realize that you have security filter used to apply the GPO.
Based on the current situation, I would like to suggest you verify the security filter to check the result. You may also create a new Screen Saver GPO and link it to a new user OU to test the issue.
If it does not work, please also remove all the Group Policy registry keys from the client and reapply the GPOs.
Delete All Group Policy Registry keys
========================
1. Click “Start”, type “regedit” (without quotation marks) into “Run” box and press Enter.
2. Locate the following key:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft]
Right click on "Microsoft", click "Export"; please name the file as "RegBackup" (without quotation marks) and then save it to the C:\ drive as a backup.
Note: In case we need to undo the modification, we can double click this RegBackup.reg file to restore the registry key.
3. Highlight Microsoft and click "Delete".
4. Please repeat the above steps for the following registry keys.
[HKEY_CURRENT_USER\Software\Policies\Microsoft]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
Note: if some keys do not exist, please ignore them.
3. Exit the Registry Editor.
What’s the result?
For more troubleshooting information, please also refer to the following Microsoft TechNet article:
Troubleshooting Group Policy Problems
http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
Regards,
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.Thursday, October 6, 2011 2:42 PM -
> I would like to confirm that if this issue occurs on all the Windows 7 clients or only one client?
The policy is still in testing, so it's only assigned to five or six people, but it's reproducible on every Win7 client that I've checked. The settings are user-specific, so I created a test account and added it to the security filter, and I got the same behavior.
> Based on the current situation, I would like to suggest you verify the security filter to check the result
I don't know what you mean by "verify." The security filter explicitly lists the users who have permission on the GPO, and the gpresult on the clients confirms that the policy is being applied. I tried deleting the registry keys and reapplying the GPOs as you suggested, but there was no change in behavior--the clients still claim the GPO is being applied, and the values in the Personalization\Screen Saver dialog are disabled and set to the proper values as if the GPO settings were being applied, but the old settings are still in effect.
Thursday, October 6, 2011 7:20 PM -
Hi,
Is the screensaver which is starting after 1 min same which you have applied to run after 15 mins. Also check the monitor off time in Control Panel
Friday, October 7, 2011 12:23 PM -
The screensaver I'm applying by GPO is the scrnsave.exe (blank) one because it was the only one our XP and 7 machines have in common. The screen seems to blank out after 1 minute regardless of what screensaver I had before. The power plan's "turn off display" setting is at 10 minutes.Friday, October 7, 2011 8:29 PM
-
Hi,
Ca you try to deploy a separate screensaver and apply through GPO. Otherwise you can also try to disable the screensaver executable setting from GPO so that you can choose the screensaver manually from computer. For testing choose a screensaver manually in Windows 7 and check if it gets applied properly
Saturday, October 8, 2011 6:13 AM -
I haven't tried the above suggestion yet, but I rebooted one of the win7 PCs this weekend, and now I can't reproduce the glitchy behavior on it--the screen is no longer going blank after 1 minute. This doesn't make sense to me, since the registry settings are user-based, and if the reboot really did something then what did it do? I don't want to deploy this without understand it...
Monday, October 10, 2011 7:02 PM -
I chose a Win7-specific screensaver, and it was applied (once the GP replicated), but the idle timeout is still broken.
- Edited by phantomtollbooth Tuesday, October 25, 2011 4:23 PM
Tuesday, October 25, 2011 4:18 PM -
No other suggestions? No one else can reproduce it?Monday, October 31, 2011 8:52 PM
-
Phantomtollbooth - I have the exact same issue on my Win 2008 R2 sTD and SP1 STD servers - "the only setting that existed in HKCU\Control Panel\Desktop was ScreenSaverActive." If you find an answer please share. Thank you and good luck.Wednesday, November 2, 2011 7:13 PM
-
Did anyone find a solution?
It seems the screensaver is using the last manually entered timeout period, but not displaying it or letting you change it in the GUI . The GUI shows the GPO set screensaver delay and it's grayed out as appropriate. It's just not working...
Is this a bug? is there a patch?
Monday, October 13, 2014 2:16 PM -
We just had this happen to us. I enabled the policies on a 2008R2 DC (2003 domain) for all users in our domain yesterday. Seemed to work just fine until this morning when a user had trouble with a conference room PC. Thought it was user error until we tested another conference room PC and while we were discussing it we were locked out. So we checked the screen saver and sure enough it said 15 min and was greyed out but it kept locking us out after one min. Ran RSOP and everything looked good. The user is a local admin and a domain user. PC's are Win7. Very odd.
- Edited by Pen5rod Friday, March 13, 2015 3:26 PM
Friday, March 13, 2015 3:24 PM