how to force a lock after a period of inactivity on 2000 server DC
Good Day,
How can i force the DC's to lock themselves after a period of inactivity say of 5 minutes using group policy. I am using Windows 2000 server with sp4 installed.
Thanks,
Tacobell2000
How can i force the DC's to lock themselves after a period of inactivity say of 5 minutes using group policy. I am using Windows 2000 server with sp4 installed.
Thanks,
Tacobell2000
I would just setup a password protected screensaver on your DCs.
ASKER
No. I want to use group policy for this.
Well you can setup the screensaver via group policy....but it is a user config policy so it would apply to users not to computers....
The screensaver in my opionion is the easist and best way.....I don't know if there is any other way to do this via group policy. I haven't seen anything that would do it....
ASKER
Yes there is a way because I did it a while ago....but i cannot remember which 2 group policies i modified.
HOWTO: How to Set a Screen Saver Through a System Policy
http://support.microsoft.com/default.aspx?scid=kb;en-us;195655
You can schedule a rundll32 command :
How can I lock a workstation from the command line?
http://www.winnetmag.com/Article/ArticleID/14925/14925.html
http://www.computerhope.com/issues/ch000570.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;195655
You can schedule a rundll32 command :
How can I lock a workstation from the command line?
http://www.winnetmag.com/Article/ArticleID/14925/14925.html
http://www.computerhope.com/issues/ch000570.htm
ASKER
ok...but i am running a windows 2000 server with AD installed and not an NT 4.0 .
1. Download the GMPC (Group Policy Management MMC). This is a must have tool for managing and deploying Group Policy objects - http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
2. Create a test OU (the OU will be for testing and will contain USERS). I called mine Test OU.
3. Launch GMPC and add right click on your test OU and select "Create and Link a GPO Here"
4. Right Click your new policy and select EDIT
5. Drill down to User Configuration | Administrative Templates | Control Panel | Display
6. Double Click and set the following
a. Screen Saver - enabled
b. screen saver executable name - enabled - executable name = logon.scr
c. password protect the screen saver - enabled
d. screen saver timeout - enabled - seconds = 600
7. Add some test IDs to the Test OU
8. Logon to an XP machine (if you have one because they're easier to refresh GPOs on) and type gpupdate.exe in the run box
9. Wait ten minutes and verify that your machine is locked
If you have any problems, from an XP machine (again it's easier) and run RSOP.MSC. This will let you browse your machine for things that policies have set.
2. Create a test OU (the OU will be for testing and will contain USERS). I called mine Test OU.
3. Launch GMPC and add right click on your test OU and select "Create and Link a GPO Here"
4. Right Click your new policy and select EDIT
5. Drill down to User Configuration | Administrative Templates | Control Panel | Display
6. Double Click and set the following
a. Screen Saver - enabled
b. screen saver executable name - enabled - executable name = logon.scr
c. password protect the screen saver - enabled
d. screen saver timeout - enabled - seconds = 600
7. Add some test IDs to the Test OU
8. Logon to an XP machine (if you have one because they're easier to refresh GPOs on) and type gpupdate.exe in the run box
9. Wait ten minutes and verify that your machine is locked
If you have any problems, from an XP machine (again it's easier) and run RSOP.MSC. This will let you browse your machine for things that policies have set.
Oops I didn't read your post. You want this to run on domain controllers only. The builtin policies for locking is a user config and won't be easily added to just domain controllers unless there is always a specific user logged in that you can target. Why are your DCs logged in unattended? That is a no no. There is a reg hack somewhere to lock after a certain idle time. You can set these reg keys via the default domain controllers policy as well. I'll hunt down the hacks.
Let you know
Let you know
There is a similar issue posted at:
https://www.experts-exchange.com/questions/20852392/Auditing-Event-Logs-group-policy-for-screen-to-lock-after-a-set-period-of-time.html
the accepted answer on that post may be what you are looking for.
https://www.experts-exchange.com/questions/20852392/Auditing-Event-Logs-group-policy-for-screen-to-lock-after-a-set-period-of-time.html
the accepted answer on that post may be what you are looking for.
https://www.experts-exchange.com/questions/21209166/Lock-Computer-after-X-time-of-use.html
Not a policy but this script does the job.
I just create and test it on a Windows 2000 Pro.
Not a policy but this script does the job.
I just create and test it on a Windows 2000 Pro.
Hi
If someone has already hit the nail on the head prior to this post then 1) please accept the answer and 2) Also accept my apologies everyone =
My internet connection is flaking badly tonight so I can't check out the links posted already - I'll be lucky to post this!
Is there a reason why you just can't amend the Default domain controller's policy in active directory users and computers?
You could try the policies in the default domain controllers gpo -
User Configuration - Administrative Templates - Control Panel - Display - Activate Screen Saver
"If you enable it, a screen saver will run provided the following two conditions hold: First, a valid screensaver on the DC is specified via the "Screensaver executable name" policy or via Control Panel on the DC. Second, the screensaver timeout is set to a nonzero value via the policy or Control Panel. Also checkout the password protect screensaver in the same policy area,
Hope this helps,
Debs :))
If someone has already hit the nail on the head prior to this post then 1) please accept the answer and 2) Also accept my apologies everyone =
My internet connection is flaking badly tonight so I can't check out the links posted already - I'll be lucky to post this!
Is there a reason why you just can't amend the Default domain controller's policy in active directory users and computers?
You could try the policies in the default domain controllers gpo -
User Configuration - Administrative Templates - Control Panel - Display - Activate Screen Saver
"If you enable it, a screen saver will run provided the following two conditions hold: First, a valid screensaver on the DC is specified via the "Screensaver executable name" policy or via Control Panel on the DC. Second, the screensaver timeout is set to a nonzero value via the policy or Control Panel. Also checkout the password protect screensaver in the same policy area,
Hope this helps,
Debs :))
Okay, this is going to be a long one but this is how to do it.
Tested and working in a Windows 2000/2003 Domain with XP clients.
Firstly, on the Primary Domain Controller create an Administrative Template for the screen saver policy, here's the complete contents of the file with its location and name:
"%systemroot%\inf\DC Screen Saver Policy.adm"
------------- < marker only, don't include in file
CLASS USER
CATEGORY !!Screen_Saver_Policy
POLICY !!Screen_Saver
KEYNAME "Control Panel\Desktop"
PART !!Screen_Saver_Location EDITTEXT
DEFAULT !!DEF_SCREEN_SAVER
VALUENAME SCRNSAVE.EXE
END PART
END POLICY
POLICY !!ENABLE_SCREEN_SAVER
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaveActive
VALUEON "1" VALUEOFF "0"
END POLICY
POLICY !!ENABLE_Password
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaverIsSecure
VALUEON "1" VALUEOFF "0"
END POLICY
POLICY !!SCREEN_SAVER_IDLE_TIMEOU
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaveTimeout
VALUEON "300"
END POLICY
END CATEGORY
[strings]
Screen_Saver_Policy="Scree
Screen_Saver="Screen Saver"
ENABLE_SCREEN_SAVER="Enabl
Screen_Saver_Location="Ent
DEF_Screen_Saver="%SYSTEMR
ENABLE_Password=Enable Password
SCREEN_SAVER_IDLE_TIMEOUT=
---------------------< marker only, don't include in file
From Control Panel, Administrative Tools, open the "Active Directory Users and Computers" MMC.
Right-click the domain, choose Properties, then choose the Group Policy dialog.
Create a new policy called "Domain Controllers".
Move this policy to be first in the list (as long as it's before the Default Policy its okay).
Select the "Domain Controllers" policy in the list, right-click it, and choose Properties (or click the Properties button below the list pane).
Choose the Security tab.
Press the Add... button.
Now add two accounts to the list from the domain: "Domain Computers" & "Domain Controllers".
Press the OK button.
In the list of account names pane select "Domain Computers".
In the Permissions pane, for "Full Control" tick Deny (only really needs Apply Group Policy = Deny).
In the list of account names pane select "Domain Controllers".
In the Permissions pane, for "Read" tick Allow, and for "Apply Group Policy" tick Allow.
Press the OK button.
Now its time to add the new template into this new policy.
In the "Group Policy Object Links" list select "Domain Controllers", then press the Edit button (or double-click the policy name in the list).
In the Group Policy editor window that opens:
Expand the "User Configuration" tree.
Choose "Administrative Templates".
Right-click and choose "Add/Remove Templates...".
Press the Add... button
Navigate to and select "DC Screen Saver Policy.adm"
Press the Open button, you will see "Screen Saver Policy" listed in the "Current Policy Templates" pane.
Press the Close button.
Expand the "Control Panel" tree, then the "Display" tree, and you will see the value-names.
To enable the screen saver, Enable "Activate screen saver".
Set "Screen Saver timeout" to "300" and Enable it.
Set "Password protect the screen saver" to Enable.
The default value for "Screen saver exectuable name" has been set by the policy template but it sometimes doesn't work so set it manually.
Set "Screen saver executable name" to "%systemroot%\system32\log
Thats it! If you want to push the policy out immediately use
C:\>secedit /refreshpolicy user_policy /enforce
You can check the policy has been applied by inspecting each domain controller's registry by logging in (to update the policy) then looking at
HKEY_CURRENT_USER\Software
where you should see the 4 new values listed.
Tested and working in a Windows 2000/2003 Domain with XP clients.
Firstly, on the Primary Domain Controller create an Administrative Template for the screen saver policy, here's the complete contents of the file with its location and name:
"%systemroot%\inf\DC Screen Saver Policy.adm"
------------- < marker only, don't include in file
CLASS USER
CATEGORY !!Screen_Saver_Policy
POLICY !!Screen_Saver
KEYNAME "Control Panel\Desktop"
PART !!Screen_Saver_Location EDITTEXT
DEFAULT !!DEF_SCREEN_SAVER
VALUENAME SCRNSAVE.EXE
END PART
END POLICY
POLICY !!ENABLE_SCREEN_SAVER
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaveActive
VALUEON "1" VALUEOFF "0"
END POLICY
POLICY !!ENABLE_Password
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaverIsSecure
VALUEON "1" VALUEOFF "0"
END POLICY
POLICY !!SCREEN_SAVER_IDLE_TIMEOU
KEYNAME "Control Panel\Desktop"
VALUENAME ScreenSaveTimeout
VALUEON "300"
END POLICY
END CATEGORY
[strings]
Screen_Saver_Policy="Scree
Screen_Saver="Screen Saver"
ENABLE_SCREEN_SAVER="Enabl
Screen_Saver_Location="Ent
DEF_Screen_Saver="%SYSTEMR
ENABLE_Password=Enable Password
SCREEN_SAVER_IDLE_TIMEOUT=
---------------------< marker only, don't include in file
From Control Panel, Administrative Tools, open the "Active Directory Users and Computers" MMC.
Right-click the domain, choose Properties, then choose the Group Policy dialog.
Create a new policy called "Domain Controllers".
Move this policy to be first in the list (as long as it's before the Default Policy its okay).
Select the "Domain Controllers" policy in the list, right-click it, and choose Properties (or click the Properties button below the list pane).
Choose the Security tab.
Press the Add... button.
Now add two accounts to the list from the domain: "Domain Computers" & "Domain Controllers".
Press the OK button.
In the list of account names pane select "Domain Computers".
In the Permissions pane, for "Full Control" tick Deny (only really needs Apply Group Policy = Deny).
In the list of account names pane select "Domain Controllers".
In the Permissions pane, for "Read" tick Allow, and for "Apply Group Policy" tick Allow.
Press the OK button.
Now its time to add the new template into this new policy.
In the "Group Policy Object Links" list select "Domain Controllers", then press the Edit button (or double-click the policy name in the list).
In the Group Policy editor window that opens:
Expand the "User Configuration" tree.
Choose "Administrative Templates".
Right-click and choose "Add/Remove Templates...".
Press the Add... button
Navigate to and select "DC Screen Saver Policy.adm"
Press the Open button, you will see "Screen Saver Policy" listed in the "Current Policy Templates" pane.
Press the Close button.
Expand the "Control Panel" tree, then the "Display" tree, and you will see the value-names.
To enable the screen saver, Enable "Activate screen saver".
Set "Screen Saver timeout" to "300" and Enable it.
Set "Password protect the screen saver" to Enable.
The default value for "Screen saver exectuable name" has been set by the policy template but it sometimes doesn't work so set it manually.
Set "Screen saver executable name" to "%systemroot%\system32\log
Thats it! If you want to push the policy out immediately use
C:\>secedit /refreshpolicy user_policy /enforce
You can check the policy has been applied by inspecting each domain controller's registry by logging in (to update the policy) then looking at
HKEY_CURRENT_USER\Software
where you should see the 4 new values listed.
Create a new link which will include the following entery "%windir%\System32\rundll3
1. Go to 'Control Panel' => 'Scheduled Tasks' and click to 'Add Scheduled Task'.
2. Click 'Next' and click 'Browse...' to browse the new shortcut you just created => Select it.
3. Pick 'Daily' => Click 'Next' => 'Next'.
4. Type in the PWS for your scheduled task => Click 'Confirm' => 'Next' => 'Finish'.
5. Now double-click on the new scheduled task you created
6. Click the 'Settings' tab.
7. Under the 'Idle' section, make your modifications... Enter in how long you want your computer to go before it gets locked.
8. Click 'OK'.
Now, you have created the schdualed task of the idle time you want the workstation to be locked, locate the *.job files located under %WinDir%\tasks and create a batch file that will copy the newly created file to the destination '%windir%\tasks' directory, implementing that job on the destination workstations. Dont forget to copy the shortcut and place it in the same relative location so the scheduler will be able to execute the *.lnk file... After all is being copied, tell the users to restart the computer (OR you can restart the scheduler service remotely) and there you have it...
:)
PS
You may reffer the *.lnk file on a hidden shared resource so, it would save you the bother of copying the *.lnk to all computers. To do so, in the 'Browse' text box of the scheduler, place a shared name...
Hope this is helpful...
Cyber
1. Go to 'Control Panel' => 'Scheduled Tasks' and click to 'Add Scheduled Task'.
2. Click 'Next' and click 'Browse...' to browse the new shortcut you just created => Select it.
3. Pick 'Daily' => Click 'Next' => 'Next'.
4. Type in the PWS for your scheduled task => Click 'Confirm' => 'Next' => 'Finish'.
5. Now double-click on the new scheduled task you created
6. Click the 'Settings' tab.
7. Under the 'Idle' section, make your modifications... Enter in how long you want your computer to go before it gets locked.
8. Click 'OK'.
Now, you have created the schdualed task of the idle time you want the workstation to be locked, locate the *.job files located under %WinDir%\tasks and create a batch file that will copy the newly created file to the destination '%windir%\tasks' directory, implementing that job on the destination workstations. Dont forget to copy the shortcut and place it in the same relative location so the scheduler will be able to execute the *.lnk file... After all is being copied, tell the users to restart the computer (OR you can restart the scheduler service remotely) and there you have it...
:)
PS
You may reffer the *.lnk file on a hidden shared resource so, it would save you the bother of copying the *.lnk to all computers. To do so, in the 'Browse' text box of the scheduler, place a shared name...
Hope this is helpful...
Cyber
ASKER
Good ay,
I really appreciate all these answers. I found the answer. I have asked to close the post because the question was not answered in this post.
In AD Users and computers expand the DC container...group policy....edit... and then:
under Administrative Templates
Group policy
Use Group Policy loopback processing mode set to enabled.
Under user configuration:
Administrative templates
Contol panel
Display
Activate screen saver is set to enable
Password protect the screen saver is enabled
Screen saver timeout is set to 300 seconds
I really appreciate all these answers. I found the answer. I have asked to close the post because the question was not answered in this post.
In AD Users and computers expand the DC container...group policy....edit... and then:
under Administrative Templates
Group policy
Use Group Policy loopback processing mode set to enabled.
Under user configuration:
Administrative templates
Contol panel
Display
Activate screen saver is set to enable
Password protect the screen saver is enabled
Screen saver timeout is set to 300 seconds
But ScreenSaver is NOT locking Workstation... I also know about that solution but you asked to LOCK workstation, which is a much powerful tool...
Cyber
Cyber
Hang on - Didn't I post pretty much that soultion Tacobell?????
I have an objection;
First, the method mentioned by Debsyl99 is quite simillar to the solution chosed by the author. Also, the author requested a method to lock the workstation rather than use the screen saver (and, just for the record; theres a big difference between using an actual lock or using a screensaver lock on a single workstation).
Even if you can contredict the case I presented, there is no doubt that at least Debsyl99 deserve the points for presenting the same way the authour chose...
Please, correct me if Im wrong...
Cyber
First, the method mentioned by Debsyl99 is quite simillar to the solution chosed by the author. Also, the author requested a method to lock the workstation rather than use the screen saver (and, just for the record; theres a big difference between using an actual lock or using a screensaver lock on a single workstation).
Even if you can contredict the case I presented, there is no doubt that at least Debsyl99 deserve the points for presenting the same way the authour chose...
Please, correct me if Im wrong...
Cyber
ASKER
My question was specifically "How can i force the DC's to lock themselves after a period of inactivity say of 5 minutes using group policy". DC= Domain Controllers running Windows 2000. And second " using Group Policy" . Debsyl99 gave me an incomplete answer because it did not mention the loopback processing mode. Without this, the DC's would never lock. I would have no problem giving Debsyl99 250 points.....just that my question on this post was not answered and why would i give the points. If you take a look at my other posts I always gave the points when my question was answered completely.
I would prefer to give points when my question is answered completely.
Tacobell2000
I would prefer to give points when my question is answered completely.
Tacobell2000
Tacobell2000
I sense some sort of a misunderstanding here. I have no intention to doubt your judgment capabilities, nor your integrity; I didnt say that my solution is the best solution - on the contrary; I said you may contredict my theory though I (personally) think it is a good solution.
As for Debsyl99's case; You cleared your point there, eventhough I think otherwise I realize that sharing views on that matter wont be a benefit for niether sides therefore, I remove my objection refunding the 500 pts to the author (you).
Cyber
I sense some sort of a misunderstanding here. I have no intention to doubt your judgment capabilities, nor your integrity; I didnt say that my solution is the best solution - on the contrary; I said you may contredict my theory though I (personally) think it is a good solution.
As for Debsyl99's case; You cleared your point there, eventhough I think otherwise I realize that sharing views on that matter wont be a benefit for niether sides therefore, I remove my objection refunding the 500 pts to the author (you).
Cyber
Fair enough - Whatever you feel appropriate Tacobell - :))
I don't think its fair to ask for a refund on this question.
There are several ways of achieving the result, including:
My post above.
and
Microsoft KB article 259576 Group Policy application rules for domain controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;259576
Both of which are valid solutions for the question:
"How can i force the DC's to lock themselves after a period of inactivity say of 5 minutes using group policy. I am using Windows 2000 server with sp4 installed."
The key to both is they will only:
1) apply to Domain Controllers
2) use Group Policy
3)lock the windows console
which is what you asked for.
There are several ways of achieving the result, including:
My post above.
and
Microsoft KB article 259576 Group Policy application rules for domain controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;259576
Both of which are valid solutions for the question:
"How can i force the DC's to lock themselves after a period of inactivity say of 5 minutes using group policy. I am using Windows 2000 server with sp4 installed."
The key to both is they will only:
1) apply to Domain Controllers
2) use Group Policy
3)lock the windows console
which is what you asked for.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.