Remove From My Forums

Glitches in Windows 7 screensaver timeout settings

Question
0

Sign in to vote

Hello all,

Cross-posting by request from the security forum (http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/5e15d5d6-b76f-4939-aa9d-feb4c3f1a009?prof=required).

I have a problem similar to the later posts in http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/3cf199a1-5f4b-4045-8394-d64e44a741a2/, but that question was marked as answered and I'm not sure anyone's looking at it. I have found screensaver/locking settings in Win7 to be a bit glitchy, and I was hoping to get feedback on whether this was a known problem.

My environment contains XP and Win7 workstations in a domain at 2003 functional level (there are a mix of 2003 and 2008 R2 DCs). I am trying to set a 15 minute screensaver-and-lock-workstation timeout, so I created a GPO and set "Enabled screen saver", "Password protect the screen saver", and "Screen saver timeout" (900 seconds). I didn't force a specific screen saver. The policy is linked to the user OU and filtered to the correct test users, and the appropriate screensaver settings show up as disabled on the clients once the policy is applied, but the Win7 computers seem to remember the settings they had before. For instance, I set my screensaver to apply after 1 minute, then I added myself to the policy and ran gpupdate /force. I saw the value in the "Wait X minutes" box in the screen saver dialog was now 15 (and disabled, so I couldn't change it in the UI), but my machine still locks after one minute. I think the policy works as expected on XP, but I haven't been able to verify that yet. Forcing a specific screen saver doesn't seem to make a difference.

Can anyone shed light on why the Win7 screensaver settings aren't behaving themselves? Is it a problem with the GPO or with Win7? I would appreciate any input. And sorry if this is considered a double post; I just wanted to make sure someone saw it as a different problem, since the marked solution in the other thread is irrelevant for me.

Friday, September 30, 2011 2:54 PM

Reply

|

Quote

All replies

0

Sign in to vote

Hi,

Please run RSOP.MSC on Windows 7 PC and check the screensaver setting area and make sure it shows 15mins. Secondly is it happening with all the Windows 7 PC's or few, because we have the same settings in our environment it works fine. There is no such restriction in Windows 7.

Friday, September 30, 2011 4:52 PM

Reply

|

Quote
0

Sign in to vote

The screensaver setting does show 15 minutes, and RSOP says the correct setting from the policy is being applied. Since the policy is still in test mode, it's only applied to a few users/computers, and I can reproduce the problem on two of them--the other win7 users are out of the office and I can't ask them to check.

Friday, September 30, 2011 7:46 PM

Reply

|

Quote
0

Sign in to vote

could u pls post "gpresult /z" ?
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

Friday, September 30, 2011 8:28 PM

Reply

|

Quote
0

Sign in to vote

Hi,

did you create and link the policy using GPMC on an old (XP/2003) or new (W7/08R2) machine?
In a mixed environment, I found it more consistent/predictable to always use the latest (even when configuring for older targets).
(editing GP on 2003 for a W7 target, caused a heap of ugliness for us.)
Don

Friday, September 30, 2011 11:26 PM

Reply

|

Quote
0

Sign in to vote

In addition,

Keep remember

? Link Order – the precedence order for GPOs linked to a given container. The GPO link with Link Order of 1 has highest precedence on that container.

? Block Inheritance – the ability to prevent an OU or domain from inheriting GPOs from any of its parent container. Note that Enforced GPO links will always be inherited.

? Enforcement – (previously known as “No Override”) the ability to specify that a GPO should take precedence over any GPOs that are linked to child containers. Enforcing a GPO link works by moving that GPO to the end of the processing order.

? Link Status – determines if a given GPO link is processed or not for the container to which it is linked.

? GPO Slow link detection problem(http://grouppolicy.editme.com/SlowLinks).

See the below link.

http://technet.microsoft.com/en-us/library/cc739343(WS.10).aspx
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

Saturday, October 1, 2011 7:49 AM

Reply

|

Quote
0

Sign in to vote

Hi,

Please check the value of ScreenSaveTimeOut under HKCU\Control Panel\Desktop if it is 15 mins or 1 min. The value shows there is in seconds

Saturday, October 1, 2011 8:17 AM

Reply

|

Quote
0

Sign in to vote

Thanks for the replies.

>did you create and link the policy using GPMC on an old (XP/2003) or new (W7/08R2) machine?

Policy was created and linked on a 2008R2 DC.

Regarding the link order/block inheritance comment, the screensaver policy is not enforced. The only other policy on that OU is enforced, but it doesn't have screensaver settings configured, and if I understand enforcement correctly it doesn't override enabled/disabled settings with a setting of not-configured.

>Please check the value of ScreenSaveTimeOut under HKCU\Control Panel\Desktop if it is 15 mins or 1 min. The value shows there is in seconds

This value is still 1 minute. However, the GUI interface shows 15 minutes and is disabled as if the policy were in effect, and the key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop also shows 15 minutes.

> could u pls post "gpresult /z" ?

Here's the administrative template section of gpresult /z for one of the affected users.

        Administrative Templates

        ------------------------

            GPO: TEST Company Users

                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive

                Value:       49, 0, 0, 0

                State:       Enabled

            GPO: Default Domain Policy

                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess

                State:       disabled

            GPO: Default Domain Policy

                KeyName:     Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOffline

                Value:       1, 0, 0, 0

                State:       Enabled

            GPO: Default Domain Policy

                KeyName:     Software\Policies\Microsoft\Windows\NetCache\NoCacheViewer

                Value:       1, 0, 0, 0

                State:       Enabled

            GPO: Default Domain Policy

                KeyName:     Software\Policies\Microsoft\Windows\NetCache\NoConfigCache

                State:       disabled

            GPO: Default Domain Policy

                KeyName:     Software\Policies\Microsoft\Windows\NetCache\SyncAtLogoff

                Value:       0, 0, 0, 0

                State:       Enabled

            GPO: TEST Company Users

                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE

                Value:       115, 0, 99, 0, 114, 0, 110, 0, 115, 0, 97, 0, 118, 0, 101, 0, 46, 0, 115, 0, 99, 0, 114, 0, 0, 0

                State:       Enabled

            GPO: Default Domain Policy

                KeyName:     Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

                Value:       1, 0, 0, 0

                State:       Enabled

            GPO: TEST Company Users

                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut

                Value:       57, 0, 48, 0, 48, 0, 0, 0

                State:       Enabled

            GPO: TEST Company Users

                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure

                Value:       49, 0, 0, 0

                State:       Enabled

Monday, October 3, 2011 3:45 PM

Reply

|

Quote
0

Sign in to vote
>Please check the value of ScreenSaveTimeOut under HKCU\Control Panel\Desktop if it is 15 mins or 1 min. The value shows there is in seconds

This value is still 1 minute. However, the GUI interface shows 15 minutes and is disabled as if the policy were in effect, and the key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop also shows 15 minutes.

Hi,

Can you please manually change the value of HKCU\Control Panel\Desktop\ScreenSaveTimeOut to 15 mins and see if the screensaver works properly. If it works then we can plan for reflecting the proper values
- Proposed as answer by bshwjt Tuesday, October 4, 2011 7:18 AM
Tuesday, October 4, 2011 7:17 AM

Reply

|

Quote
0

Sign in to vote

Awesome, Sukhi.
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

Tuesday, October 4, 2011 7:18 AM

Reply

|

Quote
0

Sign in to vote

I manually changed the value of HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverTimeout to 900, but the screensaver still kicks in after 60 seconds.

Tuesday, October 4, 2011 2:23 PM

Reply

|

Quote
0

Sign in to vote

I logged onto a freshly built computer and noted that the settings under HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop showed the proper policy values, but the settings under HKCU\Control Panel\Desktop\ did not match them--the only setting that existed in HKCU\Control Panel\Desktop was ScreenSaverActive.

If it makes a difference, the user profiles are local rather than roaming.

Wednesday, October 5, 2011 8:31 PM

Reply

|

Quote
0

Sign in to vote

Hi,

I would like to confirm that if this issue occurs on all the Windows 7 clients or only one client?

I realize that you have security filter used to apply the GPO.

Based on the current situation, I would like to suggest you verify the security filter to check the result. You may also create a new Screen Saver GPO and link it to a new user OU to test the issue.

If it does not work, please also remove all the Group Policy registry keys from the client and reapply the GPOs.

Delete All Group Policy Registry keys

========================

1. Click “Start”, type “regedit” (without quotation marks) into “Run” box and press Enter.

2. Locate the following key:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft]

Right click on "Microsoft", click "Export"; please name the file as "RegBackup" (without quotation marks) and then save it to the C:\ drive as a backup.

Note: In case we need to undo the modification, we can double click this RegBackup.reg file to restore the registry key.

3. Highlight Microsoft and click "Delete".

4. Please repeat the above steps for the following registry keys.

[HKEY_CURRENT_USER\Software\Policies\Microsoft]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Note: if some keys do not exist, please ignore them.

3. Exit the Registry Editor.

What’s the result?

For more troubleshooting information, please also refer to the following Microsoft TechNet article:

Troubleshooting Group Policy Problems

http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx

Regards,

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thursday, October 6, 2011 2:42 PM

Reply

|

Quote

Moderator
0

Sign in to vote

> I would like to confirm that if this issue occurs on all the Windows 7 clients or only one client?

The policy is still in testing, so it's only assigned to five or six people, but it's reproducible on every Win7 client that I've checked. The settings are user-specific, so I created a test account and added it to the security filter, and I got the same behavior.

> Based on the current situation, I would like to suggest you verify the security filter to check the result

I don't know what you mean by "verify." The security filter explicitly lists the users who have permission on the GPO, and the gpresult on the clients confirms that the policy is being applied. I tried deleting the registry keys and reapplying the GPOs as you suggested, but there was no change in behavior--the clients still claim the GPO is being applied, and the values in the Personalization\Screen Saver dialog are disabled and set to the proper values as if the GPO settings were being applied, but the old settings are still in effect.

Thursday, October 6, 2011 7:20 PM

Reply

|

Quote
0

Sign in to vote

Hi,

Is the screensaver which is starting after 1 min same which you have applied to run after 15 mins. Also check the monitor off time in Control Panel

Friday, October 7, 2011 12:23 PM

Reply

|

Quote
0

Sign in to vote

The screensaver I'm applying by GPO is the scrnsave.exe (blank) one because it was the only one our XP and 7 machines have in common. The screen seems to blank out after 1 minute regardless of what screensaver I had before. The power plan's "turn off display" setting is at 10 minutes.

Friday, October 7, 2011 8:29 PM

Reply

|

Quote
0

Sign in to vote

Hi,

Ca you try to deploy a separate screensaver and apply through GPO. Otherwise you can also try to disable the screensaver executable setting from GPO so that you can choose the screensaver manually from computer. For testing choose a screensaver manually in Windows 7 and check if it gets applied properly

Saturday, October 8, 2011 6:13 AM

Reply

|

Quote
0

Sign in to vote

I haven't tried the above suggestion yet, but I rebooted one of the win7 PCs this weekend, and now I can't reproduce the glitchy behavior on it--the screen is no longer going blank after 1 minute. This doesn't make sense to me, since the registry settings are user-based, and if the reboot really did something then what did it do? I don't want to deploy this without understand it...

Monday, October 10, 2011 7:02 PM

Reply

|

Quote
0

Sign in to vote
I chose a Win7-specific screensaver, and it was applied (once the GP replicated), but the idle timeout is still broken.
- Edited by phantomtollbooth Tuesday, October 25, 2011 4:23 PM
Tuesday, October 25, 2011 4:18 PM

Reply

|

Quote
0

Sign in to vote

No other suggestions? No one else can reproduce it?

Monday, October 31, 2011 8:52 PM

Reply

|

Quote
0

Sign in to vote

Phantomtollbooth - I have the exact same issue on my Win 2008 R2 sTD and SP1 STD servers - "the only setting that existed in HKCU\Control Panel\Desktop was ScreenSaverActive." If you find an answer please share. Thank you and good luck.

Wednesday, November 2, 2011 7:13 PM

Reply

|

Quote
0

Sign in to vote

Did anyone find a solution?

It seems the screensaver is using the last manually entered timeout period, but not displaying it or letting you change it in the GUI . The GUI shows the GPO set screensaver delay and it's grayed out as appropriate. It's just not working...

Is this a bug? is there a patch?

Monday, October 13, 2014 2:16 PM

Reply

|

Quote
0

Sign in to vote
We just had this happen to us. I enabled the policies on a 2008R2 DC (2003 domain) for all users in our domain yesterday. Seemed to work just fine until this morning when a user had trouble with a conference room PC. Thought it was user error until we tested another conference room PC and while we were discussing it we were locked out. So we checked the screen saver and sure enough it said 15 min and was greyed out but it kept locking us out after one min. Ran RSOP and everything looked good. The user is a local admin and a domain user. PC's are Win7. Very odd.
- Edited by Pen5rod Friday, March 13, 2015 3:26 PM
Friday, March 13, 2015 3:24 PM

Reply

|

Quote