how to force a lock after a period of inactivity on 2000 server DC

Good Day,

How can i force the DC's to lock themselves after a period of inactivity say of 5 minutes using group policy. I am using Windows 2000 server with sp4 installed.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would just setup a password protected screensaver on your DCs.
Tacobell2000Author Commented:
No. I want to use group policy for this.
Well you can setup the screensaver via group policy....but it is a user config policy so it would apply to users not to computers....
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

The screensaver in my opionion is the easist and best way.....I don't know if there is any other way to do this via group policy. I haven't seen anything that would do it....
Tacobell2000Author Commented:
Yes there is a way because I did it a while ago....but i cannot remember which 2 group policies i modified.
HOWTO: How to Set a Screen Saver Through a System Policy;en-us;195655

You can schedule a rundll32 command :
How can I lock a workstation from the command line?
Tacobell2000Author Commented:
ok...but i am running a windows 2000 server with AD installed and not an NT 4.0 .
1.  Download the GMPC (Group Policy Management MMC).  This is a must have tool for managing and deploying Group Policy objects -

2.  Create a test OU (the OU will be for testing and will contain USERS).  I called mine Test OU.

3.  Launch GMPC and add right click on your test OU and select "Create and Link a GPO Here"

4.  Right Click your new policy and select EDIT

5.  Drill down to User Configuration | Administrative Templates | Control Panel | Display

6.  Double Click and set the following
   a. Screen Saver - enabled
   b. screen saver executable name - enabled - executable name = logon.scr
   c. password protect the screen saver - enabled
   d. screen saver timeout - enabled - seconds = 600

7.  Add some test IDs to the Test OU

8.  Logon to an XP machine (if you have one because they're easier to refresh GPOs on) and type gpupdate.exe in the run box

9.  Wait ten minutes and verify that your machine is locked

If you have any problems, from an XP machine (again it's easier) and run RSOP.MSC.  This will let you browse your machine for things that policies have set.

Oops I didn't read your post.  You want this to run on domain controllers only.  The builtin policies for locking is a user config and won't be easily added to just domain controllers unless there is always a specific user logged in that you can target.  Why are your DCs logged in unattended?  That is a no no.  There is a reg hack somewhere to lock after a certain idle time.  You can set these reg keys via the default domain controllers policy as well.  I'll hunt down the hacks.  

Let you know
There is a similar issue posted at:

the accepted answer on that post may be what you are looking for.
Not a policy but this script does the job.
I just create and test it on a Windows 2000 Pro.

If someone has already hit the nail on the head prior to this post then 1) please accept the answer and 2) Also accept my apologies everyone =
My internet connection is flaking badly tonight so I can't check out the links posted already - I'll be lucky to post this!

Is there a reason why you just can't amend the Default domain controller's policy in active directory users and computers?

You could try the policies in the default domain controllers gpo -
User Configuration - Administrative Templates - Control Panel - Display - Activate Screen Saver

"If you enable it, a screen saver will run provided the following two conditions hold: First, a valid screensaver on the DC is specified via the "Screensaver executable name" policy or via Control Panel on the DC. Second, the screensaver timeout is set to a nonzero value via the policy or Control Panel. Also checkout the password protect screensaver in the same policy area,

Hope this helps,

Debs :))
Okay, this is going to be a long one but this is how to do it.

Tested and working in a Windows 2000/2003 Domain with XP clients.

Firstly, on the Primary Domain Controller create an Administrative Template for the screen saver policy, here's the complete contents of the file with its location and name:

"%systemroot%\inf\DC Screen Saver Policy.adm"

------------- < marker only, don't include in file
   CATEGORY  !!Screen_Saver_Policy
           POLICY !!Screen_Saver
           KEYNAME "Control Panel\Desktop"
                   PART !!Screen_Saver_Location EDITTEXT
                   DEFAULT !!DEF_SCREEN_SAVER
                   VALUENAME SCRNSAVE.EXE
                   END PART
           END POLICY
           KEYNAME "Control Panel\Desktop"
                   VALUENAME ScreenSaveActive
                   VALUEON "1" VALUEOFF "0"
           END POLICY
           POLICY !!ENABLE_Password
           KEYNAME "Control Panel\Desktop"
                   VALUENAME ScreenSaverIsSecure
                   VALUEON "1" VALUEOFF "0"
           END POLICY
               KEYNAME "Control Panel\Desktop"
                   VALUENAME ScreenSaveTimeout
               VALUEON "300"
         END POLICY

Screen_Saver_Policy="Screen Saver Policies"
Screen_Saver="Screen Saver"
ENABLE_SCREEN_SAVER="Enable Screen Saver"
Screen_Saver_Location="Enter the location of the Screen Saver"
ENABLE_Password=Enable Password
SCREEN_SAVER_IDLE_TIMEOUT="Screen Saver Activation Timeout"

---------------------< marker only, don't include in file

From Control Panel, Administrative Tools, open the "Active Directory Users and Computers" MMC.

Right-click the domain, choose Properties, then choose the Group Policy dialog.

Create a new policy called "Domain Controllers".

Move this policy to be first in the list (as long as it's before the Default Policy its okay).

Select the "Domain Controllers" policy in the list, right-click it, and choose Properties (or click the Properties button below the list pane).

Choose the Security tab.

Press the Add... button.

Now add two accounts to the list from the domain: "Domain Computers" & "Domain Controllers".

Press the OK button.

In the list of account names pane select "Domain Computers".

In the Permissions pane, for "Full Control" tick Deny (only really needs Apply Group Policy = Deny).

In the list of account names pane select "Domain Controllers".

In the Permissions pane, for "Read" tick Allow, and for "Apply Group Policy" tick Allow.

Press the OK button.

Now its time to add the new template into this new policy.

In the "Group Policy Object Links" list select "Domain Controllers", then press the Edit button (or double-click the policy name in the list).

In the Group Policy editor window that opens:

Expand the "User Configuration" tree.

Choose "Administrative Templates".

Right-click and choose "Add/Remove Templates...".

Press the Add... button

Navigate to and select "DC Screen Saver Policy.adm"

Press the Open button, you will see "Screen Saver Policy" listed in the "Current Policy Templates" pane.

Press the Close button.

Expand the "Control Panel" tree, then the "Display" tree, and you will see the value-names.

To enable the screen saver, Enable "Activate screen saver".

Set "Screen Saver timeout" to "300" and Enable it.

Set "Password protect the screen saver" to Enable.

The default value for "Screen saver exectuable name" has been set by the policy template but it sometimes doesn't work so set it manually.

Set "Screen saver executable name" to "%systemroot%\system32\logon.scr" and Enable it.

Thats it! If you want to push the policy out immediately use

C:\>secedit /refreshpolicy user_policy /enforce

You can check the policy has been applied by inspecting each domain controller's registry by logging in (to update the policy) then looking at

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{31B2F340-016D-11D2-945F-00C04FB984F9}User\Software\Policies\Microsoft\Windows\Control Panel\Desktop

where you should see the 4 new values listed.
Create a new link which will include the following entery "%windir%\System32\rundll32.exe user32.dll,LockWorkStation". Now, create a scheduler task according to the following steps:

1. Go to 'Control Panel' => 'Scheduled Tasks' and click to 'Add Scheduled Task'.
2. Click 'Next' and click 'Browse...' to browse the new shortcut you just created => Select it.
3. Pick 'Daily' => Click 'Next' => 'Next'.
4. Type in the PWS for your scheduled task => Click 'Confirm' => 'Next' => 'Finish'.
5. Now double-click on the new scheduled task you created
6. Click the 'Settings' tab.
7. Under the 'Idle' section, make your modifications... Enter in how long you want your computer to go before it gets locked.
8. Click 'OK'.

Now, you have created the schdualed task of the idle time you want the workstation to be locked, locate the *.job files located under %WinDir%\tasks and create a batch file that will copy the newly created file to the destination '%windir%\tasks' directory, implementing that job on the destination workstations. Dont forget to copy the shortcut and place it in the same relative location so the scheduler will be able to execute the *.lnk file... After all is being copied, tell the users to restart the computer (OR you can restart the scheduler service remotely) and there you have it...

You may reffer the *.lnk file on a hidden shared resource so, it would save you the bother of copying the *.lnk to all computers. To do so, in the 'Browse' text box of the scheduler, place a shared name...

Hope this is helpful...

Tacobell2000Author Commented:
Good ay,

I really appreciate all these answers. I found the answer. I have asked to close the post because the question was not answered in this post.

In AD Users and computers expand the DC policy....edit... and then:

under Administrative Templates
Group policy
Use Group Policy loopback processing mode  set to enabled.
Under user configuration:
Administrative templates
Contol panel
Activate screen saver is set to enable
Password protect the screen saver is enabled
Screen saver timeout is set to 300 seconds
But ScreenSaver is NOT locking Workstation... I also know about that solution but you asked to LOCK workstation, which is a much powerful tool...

Hang on - Didn't I post pretty much that soultion Tacobell?????
I have an objection;
First, the method mentioned by Debsyl99 is quite simillar to the solution chosed by the author. Also, the author requested a method to lock the workstation rather than use the screen saver (and, just for the record; theres a big difference between using an actual lock or using a screensaver lock on a single workstation).

Even if you can contredict the case I presented, there is no doubt that at least Debsyl99 deserve the points for presenting the same way the authour chose...

Please, correct me if Im wrong...

Tacobell2000Author Commented:
My question was specifically "How can i force the DC's to lock themselves after a period of inactivity say of 5 minutes using group policy".  DC= Domain Controllers running Windows 2000. And second " using Group Policy" . Debsyl99 gave me an incomplete answer because it did not mention the loopback processing mode. Without this, the DC's would never lock. I would have no problem giving Debsyl99 250 points.....just that my question on this post was not answered and why would i give the points. If you take a look at my other posts I always gave the points when my question was answered completely.

I would prefer to give points when my question is answered completely.

I sense some sort of a misunderstanding here. I have no intention to doubt your judgment capabilities, nor your integrity; I didnt say that my solution is the best solution - on the contrary; I said you may contredict my theory though I (personally) think it is a good solution.
As for Debsyl99's case; You cleared your point there, eventhough I think otherwise I realize that sharing views on that matter wont be a benefit for niether sides therefore, I remove my objection refunding the 500 pts to the author (you).

Fair enough - Whatever you feel appropriate Tacobell - :))
I don't think its fair to ask for a refund on this question.

There are several ways of achieving the result, including:

My post above.


Microsoft KB article 259576 Group Policy application rules for domain controllers;en-us;259576

Both of which are valid solutions for the question:

"How can i force the DC's to lock themselves after a period of inactivity say of 5 minutes using group policy. I am using Windows 2000 server with sp4 installed."

The key to both is they will only:

1) apply to Domain Controllers
2) use Group Policy
3)lock the windows console

which is what you asked for.
Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.