I cannot get the ScreenSaver timeout group policy to apply to the computers in my domain

Have you tried the NO override option in the Group Policies configuration>?

Hi
Probably worth a look as a possible cause:
Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307900

Deb :))

Yes, the No Override option is selected. I have read that article as well, and did that but nothing changed. Something seems to be overriding even the registry. I've read articles saying the registry entry for the screen saver settings is in HKEY_CURRENT_USER/Software/Policies/Microsoft/Control Panel... but none of my machines have a control panel folder there. Right now I have my timeout set to 420 seconds. That is reflected in the key HKEY_CURRENT_USER/Control Panel/Desktop/ScreenSaveTimeout. If I try to change that to a different number though, it doesn't change. If I close the registry and open it back up it is still 420. I don't know if this has anything to do with it but in HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/IniFileMapping/system.ini/boot, the screen saver keys have the data "USR:Control Panel\Desktop" which I don't know if that may be why the Control Panel settings are overriding everthing else.

Here's an additional piece that may be helpful. I created a new group and added only myself to it. I went to mmc and added a snapin to the new policy.  From the Console I tried to create the same policies as I did before for the screensaver and it said "The Group Policy snapin was unable to save your changes due to the following error: The system cannot find the path specified" I dont' know if this is related to my problem or not, but any ideas would be greatly appreciated. I have a boss breathing down my neck on this one.

Hi - Still here: I'm at home right now and away from my domain and resources - but will take a look later or tomorrow (am in Uk so maybe different time zone). I'm thinking maybe a resolution issue off the top of my head (or a permissions issue) - could you post an ipconfig /all result from both server and client and confirm that you can ping by name as well as ii?

Deb :))

Client -

Physical...00-0C-F1-EA-A4-19
DHCP......Yes
Autoconfiguration.....Yes
IP Address..............10.1.22.156
Subnet...................255.255.254.0
Gateway.................10.1.22.1
DHCP/DNS..............10.1.24.48

Server-

Physical...00-06-5B-F1-92-32
DHCP.......No
IP Address.....10.1.24.48
Subnet..........255.255.254.0
Gateway........10.1.24.1
DNS..............10.1.24.48

Yes I can ping by name and ii.

Disregard that last error I wrote about. It was coming up only because I had not enable the screensaver. Like I said earlier, I created a new group and moved only my computer into that group and created a group policy that only configured the screensaver. After a reboot, all the old policies that applied to my computer are no longer applying, but the screensaver still won't apply. I'll wait to see what you have up your sleeve. Thanks!!

Have you tried the Block Policy Inheretence (sp)?  Checkbox bottom left corner of GP window.

Also make sure you have the lastest patches, I remember reading about a fix for some type of group policy update problem.  Did you upgrade the group policies to XP?  The .adm files in W2K are version 2, in XP they're version
3. XP will not recognize some policies because they are less than version 3.  LInk:

http://support.microsoft.com/kb/q307900/

Hi

So you CAN access the sysvol folder and it's properly shared (can be an issue when group policy is messing up). I'd try having a look with the gpmc if you're not using it already. Very good at enumerating results of policy application. Are these two on the same subnet? (subnetting on the fly is something I've never been fab at). The .adm issue is a good point too.

Introducing the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx

I applied some updates to the server and now it can't access the directory. I can't reboot the machine till tonight though, so I'll try those things tonight. I have upgrade the .adm files and I'm using the GPMC. In there I haven't found the Block Policy Inheretence checkbox (not in the same place). Yes, I can access the Sysvol folder and it is shared.

"now it can't access the directory" - What updates? Which directory?

I applied Windows Patches from the Windows Update site. Sorry, that wasn't the problem though. It was my machine, couldn't connect to the group policy. I rebooted and now it works. Looking into the GPMC results, under "Applied GPO's" it contains default domain policy and my screensaver policy. Under "Denied GPO's" is contains Local Group policy. There aren't really any other alarms.

In other user's event logs there are two errors that stand out. Does this help at all?


Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Windows cannot access the file gpt.ini for GPO CN={C9B645F2-0392-46AD-AC22-3732BB1B4504},CN=Policies,CN=System,DC=toncorp,DC=tonservices,DC=com. The file must be present at the location <\\toncorp.tonservices.com\SysVol\toncorp.tonservices.com\Policies\{C9B645F2-0392-46AD-AC22-3732BB1B4504}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

Hmm - yes I think this maybe your problem. Ok - from the client - start run

type \\servername to bring up your server shares

One of these is sysvol - enter the folder and navigate to the following folder {C9B645F2-0392-46AD-AC22-3732BB1B4504} - it will be in something like
yourserver\sysvol\yourdomain\policies

See if you can get into it - there should be a 3 folders (adm, machine, user ) and a file in it called gpt.ini. Confirm that they are there don't do anything to them.

Next right-click the folder called {C9B645F2-0392-46AD-AC22-3732BB1B4504} and through properties check the permissions assigned to it. Let us know what they are, but system should have full control on it and authenticated users should be listed with read and execute. list folder contents and read permissions. Don't change anything just let us now.

Next - check the event logs on the server and post any, including id's and source. Is this the only domain controller or are there others. Also can you confirm the earlier subnet question? (not my area really)

Deb :))

Yes, the 3 folders and file are there. The {C9B645F2-0392-46AD-AC22-3732BB1B4504} folder has just what you said, system has full control and authenticated users have read and execute. Sysvol is a shared folder that everyone can read. From the main event viewer I can't see any events that apply to Group policy. There is a backup domain controller. The domain controllers are on a different subnet. All workstations are on 10.1.22.x and the domain controllers are on 10.1.24.x.

Any reason for the different subnet? Can you get them on the same subnet? Unusual to have clients on different subnets to a dc,

Basically I think that your pc is just not finding the policy - re the error - it can't access gpt.ini (the file you've just confirmed is there) - just the pc isn't finding it (The system cannot find the path specified - but it should be able to!).

Check and report the security permissions on the sysvol too, just in case.

How many policies do you have? (ie folders like the {c9b6 etc ).

Can you check on the servers that dfs is running as a service ok? (Distributed File System) If it isn't start it, and make sure it's set to automatic.

Deb :))

The reason for the different subnet, from what I understand, has something to do with the servers on the first floor and us on the third. It has worked fine for a long time, even all the other policies. I've tested permissions on normal user's computers and they all can access the files in Sysvol. There are seven other policies. Like I said, those policies work fine. DFS is running and is set to automatic as well.

Ok - so other policies are applying just fine, and to your pc's on your subnet? Ok, have you tried just deleting this gpo completely (so long as it's NOT default domain, obviously) and starting from scratch with it? If other policies are applying just fine, then maybe there's a corruption somewhere with just this one policy?

Deb :))

What I did at first is just add the screen saver parameters to the existing policies. When that didn't work I created a new policy in the group and tried it that way. When that didn't work I tried creating a whole new group with only me in it, and I created a whole new policy. I don't think that's it.  Like I said at the beginning, the policy is even getting applied to my computer in the registry.  The {C9B645F2-0392-46AD-AC22-3732BB1B4504} key in the registry is there and looks correct, but it seems that something is overriding it.

This is a totally confusing one, I've tried pretty much all the standard trouble-shooting areas in relation to non-application of group policy, and the errors that you posted give the impression that policy is a problem.

However, gpmc indicates that the policy has been applied, as does the registry, but no screen saver thing is happening (pauses for breath)... This is extremely puzzling.

Could you (think I asked for this earlier) post the relevant registry entries for this particular policy as they are currently set on the pc? There should be four of them I believe relating to screensavers, if you're enabling password protection on them,

All you need to do is export the relevant registry key for desktop I believe, open the reg file with notepad and copy and post the relevant bits for me to have a look at. I've come this far, I may as well investigate the lot.

Deb :))

I appreciate you taking so much time for me. Here is the registry from the group policy.

[HKEY_USERS\S-1-5-21-1004336348-1547161642-725345543-1214\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\toncorp.tonservices.com{3B910B9D-2186-43D1-B221-0B6B3D0E8824}User]

[HKEY_USERS\S-1-5-21-1004336348-1547161642-725345543-1214\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\toncorp.tonservices.com{3B910B9D-2186-43D1-B221-0B6B3D0E8824}User\Software]

[HKEY_USERS\S-1-5-21-1004336348-1547161642-725345543-1214\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\toncorp.tonservices.com{3B910B9D-2186-43D1-B221-0B6B3D0E8824}User\Software\Policies]

[HKEY_USERS\S-1-5-21-1004336348-1547161642-725345543-1214\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\toncorp.tonservices.com{3B910B9D-2186-43D1-B221-0B6B3D0E8824}User\Software\Policies\Microsoft]

[HKEY_USERS\S-1-5-21-1004336348-1547161642-725345543-1214\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\toncorp.tonservices.com{3B910B9D-2186-43D1-B221-0B6B3D0E8824}User\Software\Policies\Microsoft\Windows]

[HKEY_USERS\S-1-5-21-1004336348-1547161642-725345543-1214\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\toncorp.tonservices.com{3B910B9D-2186-43D1-B221-0B6B3D0E8824}User\Software\Policies\Microsoft\Windows\Control Panel]

[HKEY_USERS\S-1-5-21-1004336348-1547161642-725345543-1214\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\toncorp.tonservices.com{3B910B9D-2186-43D1-B221-0B6B3D0E8824}User\Software\Policies\Microsoft\Windows\Control Panel\Desktop]
"ScreenSaveTimeOut"="600"
"ScreenSaverIsSecure"="1"
"ScreenSaveActive"="1"

Hmm - I'm away from my domain right now, so can't give a definitive but shouldn't there be a SCREENSAVE.EXE REG SZ  value ie C:\WINDOWS\System32\ssflwbox.scr somewhere? What does it say under HKCU keys \Control Panel\ Desktop for the screensaver keys??

"ScreenSaveTimeOut"="600"
"ScreenSaverIsSecure"="1"
"ScreenSaveActive"="1"

Will have a look at this tomorrow when I can get access to the relevant domain info, and come back to you,

Deb :))

Exactly. Here it is, and this is what confuses me. Even though the group policy timeout is at 600 this one is at 420 (What i have it set to in control panel). Even if I change this value to 600 and close regedit, it doesn't change. When I reopen regedit it says 420 again. Anyway, here is the registry. Thanks again for everything your doing!!

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ActiveWndTrkTimeout"=dword:00000000
"AutoEndTasks"="0"
"CaretWidth"=dword:00000001
"CoolSwitch"="1"
"CoolSwitchColumns"="7"
"CoolSwitchRows"="3"
"CursorBlinkRate"="530"
"DragFullWindows"="1"
"DragHeight"="4"
"DragWidth"="4"
"FontSmoothing"="0"
"FontSmoothingOrientation"=dword:00000001
"FontSmoothingType"=dword:00000000
"ForegroundFlashCount"=dword:00000003
"ForegroundLockTimeout"=dword:00000000
"GridGranularity"="0"
"HungAppTimeout"="5000"
"LowPowerActive"="0"
"LowPowerTimeOut"="0"
"MenuShowDelay"="400"
"PaintDesktopVersion"=dword:00000000
"PowerOffActive"="0"
"PowerOffTimeOut"="0"
"ScreenSaverIsSecure"="1"
"ScreenSaveTimeOut"="420"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="C:\\WINDOWS\\System32\\logon.scr"
"TileWallpaper"="0"
"UserPreferencesMask"=hex:9e,3e,05,80
"WaitToKillAppTimeout"="20000"
"Wallpaper"="C:\\WINDOWS\\dell.bmp"
"WallpaperStyle"="2"
"OriginalWallpaper"=""
"WheelScrollLines"="3"
"Pattern Upgrade"="TRUE"

Just to verify, you are logged onto the xp station with admin rights...? and the domain admin or administrators group has been added to the local administrators group....

Also the block inheretence is located here:
open ad users and computers
rightclick your domain, properties, select group policy tab
on the bottom left side is where the checkbox for Block Policy Inheretence is located.

Try pulling the xp station out of the domain, restart, then readd it back into the domain.  This will cause it to reregister its computer information and clear group policies.

As far as I understand it  - when you login to a workstation with a domain profile (and collect group policy)  - then the ntuser.dat file contents for your profile is reflected in hkcu registry settings. Looks like this maybe being bypassed, or not loaded (which would maybe bring us back to your error logs). What do your HKCU \Control Panel\Desktop settings look like for these registry entries?

Deb :))

Hi

After all that I decided to have a look at the policy and it's application directly and guess what? Same issue! Turns out it's a damned bug in XP SP1. Same errors as you have and the gpt.ini access error is indicative. The hotfix works on my xp machine, applied, rebooted, logged in, policy applies no problem.

Download the hotfix in link two, apply it to your xp machines and it should work fine.

5874 » Network File Errors Occur After You Install Windows XP SP1?
http://www.jsiinc.com/SUBL/tip5800/rh5874.htm
MS02-070: Flaw in SMB Signing May Permit Group Policy to Be Modified
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329170

Deb :))

Wow it looks like we're getting closer! Here is what my HKCU\Control Panel\Desktop settings look like:

"ScreenSaverIsSecure"="1"
"ScreenSaveTimeOut"="420"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="C:\\WINDOWS\\System32\\logon.scr"

I tried to apply that Hotfix but it doesn't let me since I've already installed SP2. Then I looked in the registry like that other article described which tells me to change the HKLM\System\Current Control Set\Services\Mup. It says to set the key Disable DFS to 0 but all I have in there is this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup]
"DisplayName"="Mup"
"ErrorControl"=dword:00000001
"Group"="Network"
"Start"=dword:00000000
"Tag"=dword:00000002
"Type"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup\Enum]
"0"="Root\\LEGACY_MUP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Also to answer Mazaraat's question. Yes I am logged onto the XP station with Admin rights. On the Network I am a Domain Admin as well. Thanks, I found the block inheritance and rejoined my PC to the domain but still getting the same problem.

I think you're right though Deb, I think it has something to do with DFS. I restarted the Domain Controller last night and restarted the DFS Service this morning but it didn't do anything. The question is, if I can access the folder through network neighborhood, why can't group policy access it? Thanks a million!

Hi
It's definitely not pulling that policy due to the error. Ok so you can't apply the hotfix -

1) have you checked this workaround out on your dc? (Make a note of the default settings though in case you need to change them back.)

WORKAROUND
To work around this problem, use Group Policy settings to turn off SMB signing. To do so, set the Default Domain Controller policy settings to Disabled:
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the Domain Controllers organizational unit, and then click Properties.
Click the Group Policies tab.
Click Default Domain Controllers Policy, and then click Edit.
Go to the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
If any of the following policy settings are set to Enabled, double click the setting, click to select the Define this policy setting check box, click Disabled, and then click OK.

I'll have a look at the registry settings,

Deb :))

When I click on the Default Domain Policy I get this message:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent., To change the SYSVOL Permissions to those in Active Directory, click OK.

For more information, see the Microsoft Knowlege Base article: http://go.microsoft.com/fwlink/?LinkId=2006.

According to the article, by pressing OK it should fix it. I will reboot and see!

No entry for dfs client in mup that I can see either - apparently dfs client is inherent part of the xp os anyway??

Will keep fingers crossed !

Well, it didn't seem to work. Should I go ahead and do your last suggestion? Here is the report GPMC gave me today.

Group Policy Objectshide
Applied GPOs
Name Link Location Revision
Screen_Saver toncorp.tonservices.com/Audit AD (5), Sysvol (5)

Denied GPOs
Name Link Location Reason Denied
Local Group Policy Local Empty
Default Domain Policy toncorp.tonservices.com Blocked SOM

Security Group Membership when Group Policy was applied
BUILTIN\Administrators
Everyone
BUILTIN\Users
TONCORP\REMYL$
TONCORP\Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
WMI Filtershide
Name Value Reference GPO(s)
None

Component Status hide
Component Name Status Last Process Time
Group Policy Infrastructure Success 10/15/2004 9:14:56 AM
EFS recovery Success (no data) 10/14/2004 3:53:29 PM
Registry Success 10/14/2004 3:53:24 PM
Security Success 10/14/2004 3:53:28 PM
Software Installation Failed 7/13/2004 4:41:53 PM
Software Installation failed due to the error listed below.

Fatal error during installation.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 7/13/2004 4:41:50 PM and 7/13/2004 4:41:53 PM.
 

Hi
Just wondering what this was about?

""Software Installation failed due to the error listed below.
Fatal error during installation. ""

However,

Denied GPOs
Name Link Location Reason Denied
Local Group Policy Local Empty
Default Domain Policy toncorp.tonservices.com Blocked SOM

Blocked SOM means blosked scope of management - which would suggest that block inheritance is set on one of the ou's - you'll need to check this out.

Is your default domain policy ok now? ie The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent., To change the SYSVOL Permissions to those in Active Directory, click OK. Had you changed them at all?

Very fristrating this one!

Deb :))

Well, I'm not sure what software installation error this was. It was a long time ago, before we really started adding policies. Block inheritance was a suggestion I was given to set, but I've unblocked it now. As far as the message for the default domain policy, it supposedly made the permissions consistent. I don't know how to check that, but I don't get the message anymore.

You're not a kidding! I can't believe you've stuck with me for so long, but I'm very glad you have!!

Thanks,
Remy

Lol - I though my hotfix would do it - forgot you were using sp2. Just a thought on the fact that you don't seem to be able to physically change the registry setting in hkci - You're not using mandatory profiles are you?

Deb :))

Sorry, what are mandatory profiles?

Gosh my spelling is off today - typing too quick. Mandatory profile is where the profile can't be changed by the user, but this shouldn't affected by gpo's as they apply after the profile has loaded, unless permissions aren't set correctly on the profile itself,
Windows 2000 but you should get the gist,
http://support.microsoft.com/?id=323368

However probably nothing to do with it, just odd that you as an admin can't change this registry setting under HKCU - Control Panel-Desktop -I have got that right haven't I?

No, not using Mandatory profile. Disregard the registry problem. If I change it and then reboot before checking it in Control Panel it does change, so that is not a problem. Just stupidity on my part.  I was wondering, I only manage 40-50 workstations, is there any way, other than GP, that I can set the screensaver options on the PC's, even if one by one, and make it so the users cannot change those settings?

Yes there is but only kind of -
1) problem is if the local policy then gets overidden by group policy, which it may do.
2) Problem is that you need to either merge the reg file at the logon of every user or delete all the current profiles, and directly edit the registry of the default user as the default user profile is only loaded at first logon.

Import the following .reg file into the registry on all pc's with your relevant settings applied:
-------------------------------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]

"ScreenSaveActive"="1"
"ScreenSaverIsSecure"="1"
"ScreenSaveTimeOut"="900"
"SCRNSAVE.EXE"="C:\\WINNT\\system32\\ssflwbox.scr"

-----------------------------------------------------------------------------------
You can specify whatever screensaver you want so long as it exists in the systemroot\system32 directory.
Then run gpedit.msc from command prompt

User Configuration /administrative Templates / Control panel / Display - Enable Hide screen saver

Beware that local policies apply to everyone that logs onto the pc so it's easy to run into trouble, and local admins of the pc's will be able to access the local group policy and change it.

That's why if it's at all possible you need to get this policy running through active directory. Sometimes EE does your head in - it's like trying to troubleshoot blindfold and with your hands tied behind your back.

I'd maybe give the server policy change a try although can't help thinking that something else is going on somewhere. Other than that, unless you've got any new info I'm about dry of ideas!

ntuser.dat, which is in every user profile is loaded to the HKCU registry hive at logon, so each user keeps their own settings. The only way of changing this is by using mandatory profiles (which users hate mostly) stored on usually a server share, then pointing all profile paths to that profile.

Sorry I've not helped you fix this : ((

That'll be good enough. My boss will accept that I'm sure. Thanks Deb for all your help. I wish I could award you a million points!!!

My pleasure - good to work with you - just wish we'd got a bit further with the gpo problem. Have left you positive feedback for being great to work with!
Best wishes,
Deb :))