- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
In my initial testing of Windows 7, I was a little disturbed to find that a default install of Windows 7 Enterprise did not include a default screen saver when a user would log in. I was also a little miffed that logon.scr (known as the “Windows XP” screen saver in Windows XP and “Windows Logo” screen saver in Windows Vista) was also nowhere to be found when I searched the file system.
If a user logs into Windows 7 and has logon.scr set as a forced screen saver in Group Policy, his default screen saver will be set to (None) and, because it is a Group Policy, the user will be unable to change this setting.
In many environments, securing logon sessions is very important… especially if you have to deal with HIPAA, FERPA, or any of the other myriad of government regulations (or jumpy Information Security departments) that are out there. If a user were to leave his office with his workstation unlocked and the door wide open, a malicious person would have access to everything that the unwitting user left open: files, applications, e-mail, etc. If you’re still using logon.scr as your default forced screen saver and you’ve started deploying Windows 7, you have users out there without a default screen saver.
So, back to basics: setting a default screen saver with settings that will be compatible with changes in Windows 7 and with your existing Windows XP and Vista clients. First off, start with a Group Policy Object (GPO) that is linked to the OU where your user accounts are located in Active Directory. This can be either a new GPO or an existing GPO that may already have other settings you want applied to all of your users. Next, go to Policy > User Configuration > Administrative Templates > Control Panel > Personalization. Here are the policies you’re looking for:
| Policy | Setting | Option |
| Enable Screen Saver | Enabled | |
| Force Specific Screen Saver | Enabled | scrnsave.scr |
| Password Protect Screen Saver | Enabled | |
| Screen Saver timeout | Enabled | Time set in seconds (900 in the example) |
From the user’s perspective, the options for setting the screen saver, the wait time, and whether to display the logon screen will be set and grayed out. This policy change will update during a regular Group Policy refresh cycle.
this works for me perfectly. thank you.
Easy instructions, very well written.
Thanks for this. Now I can make sure that all my co-workers are forced to use the default screensaver…
Or one that I want them to see (insert evil laughter here).
Thanks for the tip…… It works and hopefully they don’t change things for Windows 8.
Why some my client do not got srceensaver policy ,i have no idea to fix this
help me plz ,thankyou
Have you tried using gpresult in any of the users’ accounts to see if they are getting the policy? I have an article series on troubleshooting Group Policy that may assist you.
thank you ,now trouble have fixed .cause source files .scr are on the same path. i’m try to unshare and share it again then delete old .scr file ,it worked.
thank you so much ,
pisootegn, can you exactly explain how you have solved. Because I have some clients that do not apply theese settings and some that do. (Obviously I tried the Gpresultant first and many gpupdate /force and computer restart)
Be mindful that this is a user setting… not a computer setting. If you’re applying this to a computer, nothing is going to happen unless you’re using loopback policy to apply the setting to all users logging into the computer. A gpupdate should be all that is necessary. If you’d like to start a new thread in the Forum, you can attach your gpresult file and we can try to help you there.
I noticed that. In fact I tried the same user over many pc in the same OU where the policy is attached. And the policy filter is for “Authenticated Users”. That’s why I can’t explain me
Authenticated Users is the default. Like I said, this is a User policy. If you’re attaching it to an OU with computers, it isn’t going to apply to the user unless he’s in that same OU (which I wouldn’t recommend) or you’re using loopback. I really need to see the output of gpresult to see what is going on with your Group Policy config though.
Sorry, the computer and the users are in the same OU. We’re doing some test for the productional start in the middle of September. I will produce the Gpresult asap and start the new post
I want Sreensaver time to be extended for some users and that too only for some servers.
i have AD 2012 R2
How to do that..?
AD level won’t matter on this setting. If you’re only wanting it for a specific set of servers, you’ll want to use loopback processing… most likely in Merge mode. Next, you’ll want to create a group that contains all those users. Create a GPO with the timeout you want and set the filtering for that group. Link it to the OU with the precedence set over the other screensaver GPO.
Something strange happened last week with our user GPO’s and I’m curious if anyone else has seen it. All of a sudden last Tuesday all user policies wouldn’t apply. Gpresult was saying unknown result for the GPO’s or not showing the GPO at all. The GPO is applied to the user OU with only user settings configured. This was first noticed because screensaver was not kicking on. After adding Domain Computers to the security filter, the GPO’s started applying again. Was there a patch or something release by Microsoft that caused us to require Domain Computers now in all GPO’s with user settings only? I don’t understand why this would have changed and the solution doesn’t make any sense either.
Thanks, this saved me a lot of work. Same time frame with the windows updates, same clue regarding the screen-saver not responding to the previous policy I had in effect. I have found that if I want the policy to apply to all domain users I can simply use “Authenticated Users”. If I have limited the application of the policy by username in the Security Filter, I had to add an additional entry for, “Domain Computers”. I feared that adding that general security filter of Domain Computers, that all domain computers would react to the policy but that was not the case. Once adding that entry things have been back to normal.
Hi All
In response to Coby’s question, Yes, A Microsoft client OS patch released in June has stopped some Active Directory Group policies from being applied. This affects all GPO’s that were filtered to ONLY apply to Users (GPO’s filtered by Computers, or the default “Authenticated Users” were not affected). This is a by-design change in Group Policy processing.
For more information on the cause and resolution of this issue, see this article. https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
For a Powershell script to automate the setting of the permissions to fix this, see this article. https://gallery.technet.microsoft.com/Powershell-script-to-cc281476
I have experienced this change with GPO, and this resolved my issues.
Hi,
In my organisation, every PC has been updated the GP and its works well , except one PC ; as per GP result its correct no changes on that, but lock out policy not applied only in particular PC.. below image from my GPO
hi
force a specific default lock screen image GPO template not available in windows 2008 R2.
any other way to set default lock screen image using windows 2008 R2,because i have only 2008 r2 server. please give me a solution for this issues.
Thanks.