Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


how to force a lock on Workstations in a domain

Posted on 2004-11-17
Medium Priority
Last Modified: 2011-10-03
Good Day,

How do i force a lock after a period of 15 min of idleness on all workstations running XP and 2000 using a group policy. I am using Windows 2000 server AD.


Question by:Tacobell2000
LVL 58

Expert Comment

by:Pete Long
ID: 12608971
Using WinExit.scr

winexit.scr is a screensaver that logs a user off after a period of inactivity.
winexit.scr lives in the (Windows 2000 server resource kit)

add Winexit.scr to the registry


Deploy it on a machine (Says Windows XP but works in W2K)


You can set it in the Domain Security policy here's a walkthrough

LVL 97

Expert Comment

by:Lee W, MVP
ID: 12608973
You'd need to set the screen saver to 15 minutes and require it to be password protected.
LVL 65

Expert Comment

ID: 12608979
Hello Tacobell2000 =)

>> How do i force a lock
You mean Logoff... ?? If Yes then read this :)

Q:  How can I auto logoff or automatically log a user out of Windows after a period of inactivity?

A:  This can be done in Windows 2000 / XP / .NET using Group Policy. Control Panel, Administrative Tools > local security policy > local policies \ security options \ "Automatically log off users" and/or "Amount of idle time required before disconnecting session"

ref >> http://securityadmin.info/noframes/faqget.asp#autologoff
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 12609426
These settings mentioned are all good, but I think what you're after is this setting:

User Settings ->  Administrative Templates -> System ->  Power Management

Prompt for Password on Resume from hibernate / suspend

Basically this will make it so that when your hard disks spin down and spin back up again your computer will be in the "locked" state, requiring user credentials.

This needs to be combined with the power management setting on the local computer that determines the time interval in which the computer will turn off its hard disk.

I would use this in conjunction with the screensaver method mentioned above, only instead of using winexit.scr, use some other standard screen saver, and make it use the password protect option.  These options are available here

User Settings ->  Administrative Templates -> Control Panel -> Display

You need Executable Name  and Timeout to set the screensaver and time delay.

In conjunction with my method, your users will have to put their passwords in when the screen saver kicks in, or if the hard disks turn off after their idle period expires.  Covers all the bases.

Accepted Solution

TJworld earned 2000 total points
ID: 12609909
You've had the essence of this question answered in your other question

"how to force a lock after a period of inactivity on 2000 server DC"


With the slight difference here that you apply the changes to the Default Policy, not to one created for the Domain Controllers.

If you're being picky by saying only "workstations running XP and 2000" and you have a mixed network of Win9x/NT4/2000/XP computers, then you'll need to create a new global policy in the same was as described in the other article, but with a Security Deny apply global policy rule for a new Active Directory group "Excluded From Lock" and add all the domain computers that run NT/Win9x to it, along with any others you don't want the policy to affect.

Expert Comment

ID: 12610031
Right-Click Desktop, Properties, Screensaver Tab, Check Password Protect, Adjust Time to suit.


Expert Comment

ID: 12613450

Expert Comment

ID: 12830817
since it is a Domain, you'll have to set it in the group policy like this

Administrative Templates
--> Control Panel
   --> Display
         Screen Saver timeout: xx seconds

Also throw these into the mix.
Hide Screen Saver tab: Enabled
Screen Saver: Enabled
Screen Saver Executable name: Enabled - scrnsave.scr
Password protect the screen saver: Enabled


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
I have written articles previously comparing SARDU and YUMI.  I also included a couple of lines about Easy2boot (easy2boot.com).  I have now been using, and enjoying easy2boot as my sole multiboot utility for some years and realize that it deserves …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question