Solved

Set Screensaver without GPO?

Posted on 2010-11-11
9
630 Views
Last Modified: 2012-05-10
I have about 500 machines that I support and I need to set the screensaver duration to the corporate standard. The problem here is that the use of GPO from the AD level will never be an option for us(not my choice, just the way it is.) What are my options?

The local computer policy works very nicely but I have not found a way to script that. I read about creating your own security policy, but everything I've read seems to suggest that it can only be done at the machine level, but the screensaver settings are at the user level. The only other option I can think of that might work is the registry. The problem with that is that screensaver settings are stored in the current user hive so I will miss machines if no users are logged in.

All these machines are Windows XP and I have a utility like psexec to run any automation method on all the machines. I plan to have this run nightly to enforce the settings. I would appreciate any suggestions you might have.
0
Comment
Question by:notta3d
9 Comments
 
LVL 11

Expert Comment

by:slemmesmi
Comment Utility
Dear notta3d,

you can script (e.g. in login script) changes/definition of the screen saver.
The values for the screen saver in registry in the hive HKCU\Control Panel\Desktop and you can find the similar under the HK_USERS\.DEFAULT\
So by setting the screen saver up under your account, you can see which settings have to be matched.

You can find many resources on the Internet, e.g.:
http://www.fixregistry.com/regtricks/screensaver.htm

Kind regards,
Soren
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
I"m sorry, but PSExec will not targe the CurrentUser reg hives of the remote users.  Any commands would target the account you launched PSExec under, eg your own...)

Could contain something simple like

REM Hides the Screensaver Tab....
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispScrSavPage" /t reg_dword /d 0x1 /f
REM Its Active
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaveActive" /d 1 /f
REM Requires a password on unlock
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaverIsSecure" /d 1 /f
REM out in seconds
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaveTimeOut" /d 900
REM Which Screensaver....
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "SCRNSAVE.EXE" /d "C:\Path\To\Screensaver.scr" /f

0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
By the way, thats where GPO sets them..... The spot above is where the user sets them.... Might wanna do both just in case....
0
 
LVL 1

Author Comment

by:notta3d
Comment Utility
Thanks for the replies guys. Both are great posts and very useful.You're right psexec is not going to allow me to get to CURRENT_USER. What I'm going to have to do is loop through HKEY_USERS and set the values there. I'm also not going to be able to use HKEY_CURRENT_USER\Software\Policies\ because this disables the option for them to make changes. I have to let them to be able to make changes, but I still want to enforce them to have the lockout duration in the range that we specify.

I've run into a snag. I'm able to set the screensaver and enable the ScreenSaveIsSecure, but when I set the duration in the registry it does not change in the Windows Screen Saver property window. If I set value in the Screen Saver windows it makes the changes in the registry, but not vica versa. Have you guys seen this? Is there a way around it?

By the way when I say I'm going to use HKEY_USERS I mean HKEY_USERS\UserSID\Control Panel\Desktop.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
I think it might not show until next logon? may ber off a tad.....

Also....

HKEY_USERS\UserSID\Control Panel\Desktop is going to technically get the Remote PC's Current User, as the only hives loaded there are ones that are interactively logged on to teh PC, or via a Run As/Secondary Session....

As long as you dont use "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispScrSavPage" /t reg_dword /d 0x1", they should still be able to set the SS......

Honestly, I think youre better off using PSExec to push out a logon.bat file, with your changes, that will hit EVERY user.....
0
 
LVL 1

Author Comment

by:notta3d
Comment Utility
Yea John I've tested this pretty heavily today and you're right that it won't update until the users next login. The problem is that a fair amount of our users stay logged in for months at a time.

I did find somewhat of a solution on the Autoit forums using an API call:

DllCall("user32.dll", "int", "SystemParametersInfo", "int", 15, "int", 300 , "int", 0, "int", 2)

Open in new window


This piece of code changes the screensaver time to the interval specified and changes it immediately. I don't know much about API calls, but it's strange in that I can't find out what changes it makes to the system. I created before and after snapshots of the system and diffed the two only to come back with no differences. All the main reg keys that we talked about in this thread are different values then what was set by the above API call. The call seems to only be temporary because when I log out and log back in it switches the screensaver timeout to what is set in the registry.

I could use a combination of both. When the script runs it checks HKEY_USERS for the screensaver values and if it's not right it sets the value to the acceptable range. Then I call the API to set the value immediately. Going to test this tomorrow at work.

Can you explain this a little more?

Honestly, I think youre better off using PSExec to push out a logon.bat file, with your changes, that will hit EVERY user.....

0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
Comment Utility
Youre talking about hitting HKEY_Users\Sid, right? Thats only gonna hit teh current user on teh box, as not all profiles are loaded under HKEY_Users at any given time. If you have a simple login script (without a GPO to manage, you can use psexec to run the copy command against all the systems's All Users startup.....

Sounds like the method above is similar to the "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters" method, to update certain parts of the profile.....
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This article is the result of a quest to better understand Task Scheduler 2.0 and all the newer objects available in vbscript in this version over  the limited options we had scripting in Task Scheduler 1.0.  As I started my journey of knowledge I f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now