how to force a lock on Workstations in a domain

Good Day,

How do i force a lock after a period of 15 min of idleness on all workstations running XP and 2000 using a group policy. I am using Windows 2000 server AD.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Using WinExit.scr

winexit.scr is a screensaver that logs a user off after a period of inactivity.
winexit.scr lives in the (Windows 2000 server resource kit)

add Winexit.scr to the registry

Deploy it on a machine (Says Windows XP but works in W2K);en-us;314999&

You can set it in the Domain Security policy here's a walkthrough
Lee W, MVPTechnology and Business Process AdvisorCommented:
You'd need to set the screen saver to 15 minutes and require it to be password protected.
Hello Tacobell2000 =)

>> How do i force a lock
You mean Logoff... ?? If Yes then read this :)

Q:  How can I auto logoff or automatically log a user out of Windows after a period of inactivity?

A:  This can be done in Windows 2000 / XP / .NET using Group Policy. Control Panel, Administrative Tools > local security policy > local policies \ security options \ "Automatically log off users" and/or "Amount of idle time required before disconnecting session"

ref >>
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

These settings mentioned are all good, but I think what you're after is this setting:

User Settings ->  Administrative Templates -> System ->  Power Management

Prompt for Password on Resume from hibernate / suspend

Basically this will make it so that when your hard disks spin down and spin back up again your computer will be in the "locked" state, requiring user credentials.

This needs to be combined with the power management setting on the local computer that determines the time interval in which the computer will turn off its hard disk.

I would use this in conjunction with the screensaver method mentioned above, only instead of using winexit.scr, use some other standard screen saver, and make it use the password protect option.  These options are available here

User Settings ->  Administrative Templates -> Control Panel -> Display

You need Executable Name  and Timeout to set the screensaver and time delay.

In conjunction with my method, your users will have to put their passwords in when the screen saver kicks in, or if the hard disks turn off after their idle period expires.  Covers all the bases.
You've had the essence of this question answered in your other question

"how to force a lock after a period of inactivity on 2000 server DC"

With the slight difference here that you apply the changes to the Default Policy, not to one created for the Domain Controllers.

If you're being picky by saying only "workstations running XP and 2000" and you have a mixed network of Win9x/NT4/2000/XP computers, then you'll need to create a new global policy in the same was as described in the other article, but with a Security Deny apply global policy rule for a new Active Directory group "Excluded From Lock" and add all the domain computers that run NT/Win9x to it, along with any others you don't want the policy to affect.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Right-Click Desktop, Properties, Screensaver Tab, Check Password Protect, Adjust Time to suit.

since it is a Domain, you'll have to set it in the group policy like this

Administrative Templates
--> Control Panel
   --> Display
         Screen Saver timeout: xx seconds

Also throw these into the mix.
Hide Screen Saver tab: Enabled
Screen Saver: Enabled
Screen Saver Executable name: Enabled - scrnsave.scr
Password protect the screen saver: Enabled

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.