Latest posts by Kyle Beckman (see all)
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
- Enhanced Mitigation Experience Toolkit (EMET) overview - Tue, Mar 15 2016
In my initial testing of Windows 7, I was a little disturbed to find that a default install of Windows 7 Enterprise did not include a default screen saver when a user would log in. I was also a little miffed that logon.scr (known as the “Windows XP” screen saver in Windows XP and “Windows Logo” screen saver in Windows Vista) was also nowhere to be found when I searched the file system.
If a user logs into Windows 7 and has logon.scr set as a forced screen saver in Group Policy, his default screen saver will be set to (None) and, because it is a Group Policy, the user will be unable to change this setting.
In many environments, securing logon sessions is very important… especially if you have to deal with HIPAA, FERPA, or any of the other myriad of government regulations (or jumpy Information Security departments) that are out there. If a user were to leave his office with his workstation unlocked and the door wide open, a malicious person would have access to everything that the unwitting user left open: files, applications, e-mail, etc. If you’re still using logon.scr as your default forced screen saver and you’ve started deploying Windows 7, you have users out there without a default screen saver.
So, back to basics: setting a default screen saver with settings that will be compatible with changes in Windows 7 and with your existing Windows XP and Vista clients. First off, start with a Group Policy Object (GPO) that is linked to the OU where your user accounts are located in Active Directory. This can be either a new GPO or an existing GPO that may already have other settings you want applied to all of your users. Next, go to Policy > User Configuration > Administrative Templates > Control Panel > Personalization. Here are the policies you’re looking for:
|Enable Screen Saver||Enabled|
|Force Specific Screen Saver||Enabled||scrnsave.scr|
|Password Protect Screen Saver||Enabled|
|Screen Saver timeout||Enabled||Time set in seconds (900 in the example)|
From the user’s perspective, the options for setting the screen saver, the wait time, and whether to display the logon screen will be set and grayed out. This policy change will update during a regular Group Policy refresh cycle.