Group Policy for AD 2003

Can someone help me with setting a group policy for a domain using Active Directory for 2003?  I would like to set a group policy that forces all systems connected to the domain to log out and force a log on if the system is inactive for more than 10 minutes.
mounty95Asked:
Who is Participating?
 
msmamjiConnect With a Mentor Commented:
Create and new GPO and linked it to you domain.
Then edit the gpo and make the following changes. There are four settings that will get you task done.
I have mentioned the setting name and the appropriate value to select or write and have also copied the explanation as it appears in the GPO for your understanding.


User Configuration\Administrative Templates\Control Panel\Display      

Password protect the screen saver    : Enabled
Determines whether screen savers used on the computer are password protected.  If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.  This setting also disables the Password protected check box on the Screen Saver tab in Display in Control Panel, preventing users from changing the password protection setting.  If you do not configure this setting, users can choose whether or not to set password protection on each screen saver.  To ensure that a computer will be password protected, also enable the Screen Saver setting and specify a timeout via the Screen Saver timeout setting.  Note: To remove the Screen Saver tab, use the Hide Screen Saver tab setting.

Screen Saver                                     : Enabled
Enables desktop screen savers.  If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver tab in Display in Control Panel. As a result, users cannot change the screen saver options.  If you do not configure it, this setting has no effect on the system.  If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screensaver on the client is specified through the Screensaver executable name setting or through Control Panel on the client computer. Second, the screensaver timeout is set to a nonzero value through the setting or Control Panel.  Also, see the Hide Screen Saver tab setting.
                                     
Screen Saver executable name        :  Windows XP
(a valid screen saver name, a word of caution, do not mix screen saver executables name with screen saver file of .scr file extention, a valid name is "Windows XP" for the screen saver file logon.scr present in windows xp in windows\system32 folder, If you want to be sure what is the excutable name for a .scr file...double click the file and see what name appear in the screen saver tab... If for some reason you don't configure this right... you setting will still force effect but instead of running a screen saver the machines will directly show locked out screen)

Specifies the screen saver for the user's desktop.  If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers on the Screen Saver tab in Display in Control Panel, which prevents users from changing the screen saver.  If you disable this setting or do not configure it, users can select any screen saver.  If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file.  If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.  Note: This setting can be superseded by the Screen Saver setting.  If  the Screen Saver setting is disabled, this setting is ignored, and screen savers do not run.
 
Screen Saver timeout         :  600
(this setting is in secords)
Specifies how much user idle time must elapse before the screen saver is launched.  When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.  This setting has no effect under any of the following circumstances:      - The setting is disabled or not configured.      - The wait time is set to zero.      - The No screen saver setting is enabled.      - Neither the Screen saver executable name setting nor the Screen Saver tab of the client computer's Display Properties dialog box specifies a valid existing screensaver program on the client.  When not configured, whatever wait time is set on the client through the Screen Saver tab of the Display Properties dialog box is used. The default is 15 minutes.


Regards,
Shahid
0
 
Mike KlineCommented:
There is no native way to do this using group policy.

You can try using steady state which has its own template.  Take a look at this question that MVP Laura Hunter helped with a few years ago

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22815237.html

From the steady state PDF that was talked about in that thread

" By adding the SCTSettings.adm template into these tools, you gain
access to account restrictions and settings that are appropriate for user accounts
on shared computers.

The SCTSettings.adm Group Policy template included with
Windows SteadyState also includes the capability to set idle and mandatory
logoff timers, if Windows SteadyState is installed on your computers."

I haven't used this adm in production but seems like it could do what you want.

Thanks

Mike
0
 
msmamjiCommented:
It seems you refering to password protected screen saver settings where a machine which is idle for more then a specified time get locked and you need to input the password of the person logged on currently. Is this what you want?

Regards,
Shahid
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
mounty95Author Commented:
Yes a password protected screen saver would work if it can be implemented through group policy in AD.
0
 
Mike KlineCommented:
Ok the screensaver is doable (won't log them out though)

http://technet.microsoft.com/en-us/library/cc938799.aspx

It is a  user based policy User Configuration\Administrative Templates\Control Panel\Display
Thanks

Mike
0
 
mounty95Author Commented:
How do I change the enabled/disabled state to disabled till I am ready to implement this change?
0
 
mounty95Author Commented:
Can a GPO be applied to a specific user in 2003, even if it is different a GPO applied to the "forest"?
0
 
Mike KlineCommented:
Just create the group policy and don't link it.  Right click on Group Policy Objects (in GPMC) and select new.

I'd create a test OU (if you don't have a lab) and put a few users there and first test the policy out to get a feel for it before implementing it for every user.

Thanks

Mike
0
 
mounty95Author Commented:
I have some policies that NOT linked and active so this won't turn it off and on.
0
 
Mike KlineConnect With a Mentor Commented:
You can set the settings to disabled on the GPO.

To apply to a specific set of users you can use security filtering

http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html

There is not forest linked policy though only local, site, domain, and OU.

Thanks

Mike
0
 
mounty95Author Commented:
Thank you both for your help.  I greatly appreciate it.
0
All Courses

From novice to tech pro — start learning today.