how to force a lock on Workstations in a domain

Posted on 2004-11-17
Last Modified: 2011-10-03
Good Day,

How do i force a lock after a period of 15 min of idleness on all workstations running XP and 2000 using a group policy. I am using Windows 2000 server AD.


Question by:Tacobell2000
    LVL 57

    Expert Comment

    by:Pete Long
    Using WinExit.scr

    winexit.scr is a screensaver that logs a user off after a period of inactivity.
    winexit.scr lives in the (Windows 2000 server resource kit)

    add Winexit.scr to the registry

    Deploy it on a machine (Says Windows XP but works in W2K);en-us;314999&

    You can set it in the Domain Security policy here's a walkthrough
    LVL 95

    Expert Comment

    by:Lee W, MVP
    You'd need to set the screen saver to 15 minutes and require it to be password protected.
    LVL 65

    Expert Comment

    Hello Tacobell2000 =)

    >> How do i force a lock
    You mean Logoff... ?? If Yes then read this :)

    Q:  How can I auto logoff or automatically log a user out of Windows after a period of inactivity?

    A:  This can be done in Windows 2000 / XP / .NET using Group Policy. Control Panel, Administrative Tools > local security policy > local policies \ security options \ "Automatically log off users" and/or "Amount of idle time required before disconnecting session"

    ref >>
    LVL 6

    Expert Comment

    These settings mentioned are all good, but I think what you're after is this setting:

    User Settings ->  Administrative Templates -> System ->  Power Management

    Prompt for Password on Resume from hibernate / suspend

    Basically this will make it so that when your hard disks spin down and spin back up again your computer will be in the "locked" state, requiring user credentials.

    This needs to be combined with the power management setting on the local computer that determines the time interval in which the computer will turn off its hard disk.

    I would use this in conjunction with the screensaver method mentioned above, only instead of using winexit.scr, use some other standard screen saver, and make it use the password protect option.  These options are available here

    User Settings ->  Administrative Templates -> Control Panel -> Display

    You need Executable Name  and Timeout to set the screensaver and time delay.

    In conjunction with my method, your users will have to put their passwords in when the screen saver kicks in, or if the hard disks turn off after their idle period expires.  Covers all the bases.
    LVL 5

    Accepted Solution

    You've had the essence of this question answered in your other question

    "how to force a lock after a period of inactivity on 2000 server DC"

    With the slight difference here that you apply the changes to the Default Policy, not to one created for the Domain Controllers.

    If you're being picky by saying only "workstations running XP and 2000" and you have a mixed network of Win9x/NT4/2000/XP computers, then you'll need to create a new global policy in the same was as described in the other article, but with a Security Deny apply global policy rule for a new Active Directory group "Excluded From Lock" and add all the domain computers that run NT/Win9x to it, along with any others you don't want the policy to affect.
    LVL 1

    Expert Comment

    Right-Click Desktop, Properties, Screensaver Tab, Check Password Protect, Adjust Time to suit.

    LVL 5

    Expert Comment


    Expert Comment

    since it is a Domain, you'll have to set it in the group policy like this

    Administrative Templates
    --> Control Panel
       --> Display
             Screen Saver timeout: xx seconds

    Also throw these into the mix.
    Hide Screen Saver tab: Enabled
    Screen Saver: Enabled
    Screen Saver Executable name: Enabled - scrnsave.scr
    Password protect the screen saver: Enabled


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
    Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now