Solved

Terminal services timing out and locking user screens

Posted on 2004-08-23
6
176 Views
Last Modified: 2010-04-19
We have recently upgraded from W2k to 2003 Server and now our thin clinents screens are locked after 10 minutes of inactivity.  The user must login in again.  Log in as admin and there is no problem.  If you give the thin client users admin rights, we still have the problem.  The thin clients use the CE operating system and are little affected by group policy.  We have checked all the usual things, screen savers, etc.

Would really appreciate some leads no matter how far out they may be.  At this point we'll try anything.
Thanks
Brian O
0
Comment
Question by:brianounsted
  • 3
  • 3
6 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
If you mean that the session locks requiring the users to enter their password to continue, then this is a default feature of Windows 2003 server. It is usually done via the screensaver setting.

You should disable the screensaver password and timeout via either the local group policy or the domain group policy - depending on the most appropriate for you.
I actually prefer it as the users have this habit of walking away from their machines with confidential information on their screens. I usually force finance and IT to have screensavers lock their systems after 2 minutes of inactivity.

Simon.
0
 

Author Comment

by:brianounsted
Comment Utility
I wish it were that easy.  We have set the screen saver to 9999 and no password required but it does not affect our thin clients using terminal services.  These are Windows CE clients and are completely deaf to any group policy.

At the moment I am looking at the old NT system policy placed in the NETLOGON share.  This was a suggestion from a newsgroup.  My regular XP clients should ignore this file but hopefully it is picked up by the CE thin clients.  This is one way you might handle W95/98 clients which are also immune to group policy.

We'll see.  Onward and upward

Brian O

0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I have done two implementations with TS and CE thin clients.
As the thin clients cannot be members of the domain they will not get any policy settings. Are you sure this is something local to the client and not on the server?

Screensaver timeout should be disabled in GP.
I have just looked at one implemention where I have remote access...
I have three settings in GP:

User Config, Windows Components, Control Panel, Display.

Hide ScreenSaver Tab: Enabled
Screensaver: Disabled
Screensaver timeout: disabled
Password protect screensaver: disabled

That stops the screensavers from taking - including locking of the machine.
The only other thing I can suggest is that another GP is taking precedence over the one you have made those changes to.

Simon,
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:brianounsted
Comment Utility
Thanks for the comments and I agree with the fact that another policy may be overiding.

I have some time this weekend so I am taking it one step at a time.  I have set up a fresh W2K3 server and a thin client.  I have set the server screen saver to 9999 and no password.  The thin client is NOT timing out and is working the way we want.

The next step is to make the server a domain controller and not install GP and see where we go.  I will be doing that ove the next few hours so hopefully we have the answer shortly.

I guess one concern I have down the line is that with the screen and keyboard unprotected the security risk is unacceptable.

Thanks for the help.
0
 

Author Comment

by:brianounsted
Comment Utility
All went according to plan.  The thin clients are working exactly the way we want and the only GP entry we have made is to allow users to logon using terminal services.  The server screens are back to password protected screen savers so we don't have to worry about security with our domain controllers.

Now I will connect up a PC and try to arrange GP to work with both types of clients.  We have several hundred of each.  A lab setup should have been done right from the start but we were in a hurry and thought we knew all the answers.

Thanks Sambee, it just takes a few suggestions to get people ontrack

0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
Comment Utility
Excellent. Don't forget to close the question.

Simon.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now