Set the default forced screen saver in Group Policy – Logon.scr in Windows 7

This article explains how to set a default screen saver with settings that will be compatible with changes in Windows 7 and with your existing Windows XP and Vista clients.
Profile photo of Kyle Beckman

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in Higher Education. He has 17+ years of systems administration experience. You can follow him on Twitter or his blog, trekker.net.
Profile photo of Kyle Beckman

In my initial testing of Windows 7, I was a little disturbed to find that a default install of Windows 7 Enterprise did not include a default screen saver when a user would log in. I was also a little miffed that logon.scr (known as the “Windows XP” screen saver in Windows XP and “Windows Logo” screen saver in Windows Vista) was also nowhere to be found when I searched the file system.

Windows 7 User Screensaver Configuration 1

If a user logs into Windows 7 and has logon.scr set as a forced screen saver in Group Policy, his default screen saver will be set to (None) and, because it is a Group Policy, the user will be unable to change this setting.

Windows 7 User Screensaver Configuration 2

In many environments, securing logon sessions is very important… especially if you have to deal with HIPAA, FERPA, or any of the other myriad of government regulations (or jumpy Information Security departments) that are out there. If a user were to leave his office with his workstation unlocked and the door wide open, a malicious person would have access to everything that the unwitting user left open: files, applications, e-mail, etc. If you’re still using logon.scr as your default forced screen saver and you’ve started deploying Windows 7, you have users out there without a default screen saver.

So, back to basics: setting a default screen saver with settings that will be compatible with changes in Windows 7 and with your existing Windows XP and Vista clients. First off, start with a Group Policy Object (GPO) that is linked to the OU where your user accounts are located in Active Directory. This can be either a new GPO or an existing GPO that may already have other settings you want applied to all of your users. Next, go to Policy > User Configuration > Administrative Templates > Control Panel > Personalization. Here are the policies you’re looking for:

PolicySetting Option
Enable Screen SaverEnabled
Force Specific Screen SaverEnabledscrnsave.scr
Password Protect Screen SaverEnabled
Screen Saver timeoutEnabledTime set in seconds (900 in the example)

Windows 7 UserScreensaver Group Policy 1 Windows 7 User Screensaver Group Policy 2

From the user’s perspective, the options for setting the screen saver, the wait time, and whether to display the logon screen will be set and grayed out. This policy change will update during a regular Group Policy refresh cycle.

-1+1 (+4 rating, 4 votes)
16 Comments
  1. avatar
    breiti 5 years ago

    this works for me perfectly. thank you.

  2. avatar
    deathtap 5 years ago

    Easy instructions, very well written.

    Thanks for this. Now I can make sure that all my co-workers are forced to use the default screensaver…

    Or one that I want them to see (insert evil laughter here).

  3. avatar
    abland 5 years ago

    Thanks for the tip…… It works and hopefully they don’t change things for Windows 8.

  4. avatar
    pisootegn 1 year ago

    Why some my client do not got srceensaver policy ,i have no idea to fix this

    help me plz ,thankyou

  5. avatar
    pisootegn 1 year ago

    thank you ,now trouble have fixed .cause source files .scr are on the same path. i’m try to unshare and share it again then delete old .scr file ,it worked.

    thank you so much ,

  6. avatar
    Massimo 1 year ago

    pisootegn, can you exactly explain how you have solved. Because I have some clients that do not apply theese settings and some that do. (Obviously I tried the Gpresultant first and many gpupdate /force and computer restart)

    • Profile photo of Kyle Beckman Author
      Kyle Beckman 1 year ago

      Be mindful that this is a user setting… not a computer setting. If you’re applying this to a computer, nothing is going to happen unless you’re using loopback policy to apply the setting to all users logging into the computer. A gpupdate should be all that is necessary. If you’d like to start a new thread in the Forum, you can attach your gpresult file and we can try to help you there.

  7. avatar
    Massimo 1 year ago

    I noticed that. In fact I tried the same user over many pc in the same OU where the policy is attached. And the policy filter is for “Authenticated Users”. That’s why I can’t explain me

    • Profile photo of Kyle Beckman Author
      Kyle Beckman 1 year ago

      Authenticated Users is the default. Like I said, this is a User policy. If you’re attaching it to an OU with computers, it isn’t going to apply to the user unless he’s in that same OU (which I wouldn’t recommend) or you’re using loopback. I really need to see the output of gpresult to see what is going on with your Group Policy config though.

  8. avatar
    Massimo 1 year ago

    Sorry, the computer and the users are in the same OU. We’re doing some test for the productional start in the middle of September. I will produce the Gpresult asap and start the new post

  9. avatar
    Abhishek Jain 5 months ago

    I want Sreensaver time to be extended for some users and that too only for some servers.

    i have  AD 2012 R2

     

    How to do that..?

    • Profile photo of Kyle Beckman Author
      Kyle Beckman 5 months ago

      AD level won’t matter on this setting. If you’re only wanting it for a specific set of servers, you’ll want to use loopback processing… most likely in Merge mode. Next, you’ll want to create a group that contains all those users. Create a GPO with the timeout you want and set the filtering for that group. Link it to the OU with the precedence set over the other screensaver GPO.

  10. avatar
    Coby 3 months ago

    Something strange happened last week with our user GPO’s and I’m curious if anyone else has seen it.  All of a sudden last Tuesday all user policies wouldn’t apply.  Gpresult was saying unknown result for the GPO’s or not showing the GPO at all.  The GPO is applied to the user OU with only user settings configured.  This was first noticed because screensaver was not kicking on.  After adding Domain Computers to the security filter, the GPO’s started applying again.  Was there a patch or something release by Microsoft that caused us to require Domain Computers now in all GPO’s with user settings only?  I don’t understand why this would have changed and the solution doesn’t make any sense either.

    • avatar
      Tim 3 months ago

      Thanks, this saved me a lot of work.  Same time frame with the windows updates, same clue regarding the screen-saver not responding to the previous policy I had in effect.  I have found that if I want the policy to apply to all domain users I can simply use “Authenticated Users”.  If I have limited the application of the policy by username in the Security Filter, I had to add an additional entry for, “Domain Computers”.  I feared that adding that general security filter of Domain Computers, that all domain computers would react to the policy but that was not the case.  Once adding that entry things have been back to normal.

  11. avatar
    JeffD 1 month ago

    Hi All

    In response to Coby’s question, Yes, A Microsoft client OS patch released in June has stopped some Active Directory Group policies from being applied.  This affects all GPO’s that were filtered to ONLY apply to Users (GPO’s filtered by Computers, or the default “Authenticated Users” were not affected).  This is a by-design change in Group Policy processing.

    For more information on the cause and resolution of this issue, see this article. https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    For a Powershell script to automate the setting of the permissions to fix this, see this article. https://gallery.technet.microsoft.com/Powershell-script-to-cc281476

    I have experienced this change with GPO, and this resolved my issues.

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2016

Log in with your credentials

or    

Forgot your details?

Create Account