Solved

Set Screensaver without GPO?

Posted on 2010-11-11
9
651 Views
Last Modified: 2012-05-10
I have about 500 machines that I support and I need to set the screensaver duration to the corporate standard. The problem here is that the use of GPO from the AD level will never be an option for us(not my choice, just the way it is.) What are my options?

The local computer policy works very nicely but I have not found a way to script that. I read about creating your own security policy, but everything I've read seems to suggest that it can only be done at the machine level, but the screensaver settings are at the user level. The only other option I can think of that might work is the registry. The problem with that is that screensaver settings are stored in the current user hive so I will miss machines if no users are logged in.

All these machines are Windows XP and I have a utility like psexec to run any automation method on all the machines. I plan to have this run nightly to enforce the settings. I would appreciate any suggestions you might have.
0
Comment
Question by:notta3d
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 11

Expert Comment

by:slemmesmi
ID: 34118426
Dear notta3d,

you can script (e.g. in login script) changes/definition of the screen saver.
The values for the screen saver in registry in the hive HKCU\Control Panel\Desktop and you can find the similar under the HK_USERS\.DEFAULT\
So by setting the screen saver up under your account, you can see which settings have to be matched.

You can find many resources on the Internet, e.g.:
http://www.fixregistry.com/regtricks/screensaver.htm

Kind regards,
Soren
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34120414
I"m sorry, but PSExec will not targe the CurrentUser reg hives of the remote users.  Any commands would target the account you launched PSExec under, eg your own...)

Could contain something simple like

REM Hides the Screensaver Tab....
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispScrSavPage" /t reg_dword /d 0x1 /f
REM Its Active
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaveActive" /d 1 /f
REM Requires a password on unlock
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaverIsSecure" /d 1 /f
REM out in seconds
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaveTimeOut" /d 900
REM Which Screensaver....
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "SCRNSAVE.EXE" /d "C:\Path\To\Screensaver.scr" /f

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34120472
By the way, thats where GPO sets them..... The spot above is where the user sets them.... Might wanna do both just in case....
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 1

Author Comment

by:notta3d
ID: 34159462
Thanks for the replies guys. Both are great posts and very useful.You're right psexec is not going to allow me to get to CURRENT_USER. What I'm going to have to do is loop through HKEY_USERS and set the values there. I'm also not going to be able to use HKEY_CURRENT_USER\Software\Policies\ because this disables the option for them to make changes. I have to let them to be able to make changes, but I still want to enforce them to have the lockout duration in the range that we specify.

I've run into a snag. I'm able to set the screensaver and enable the ScreenSaveIsSecure, but when I set the duration in the registry it does not change in the Windows Screen Saver property window. If I set value in the Screen Saver windows it makes the changes in the registry, but not vica versa. Have you guys seen this? Is there a way around it?

By the way when I say I'm going to use HKEY_USERS I mean HKEY_USERS\UserSID\Control Panel\Desktop.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34161760
I think it might not show until next logon? may ber off a tad.....

Also....

HKEY_USERS\UserSID\Control Panel\Desktop is going to technically get the Remote PC's Current User, as the only hives loaded there are ones that are interactively logged on to teh PC, or via a Run As/Secondary Session....

As long as you dont use "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispScrSavPage" /t reg_dword /d 0x1", they should still be able to set the SS......

Honestly, I think youre better off using PSExec to push out a logon.bat file, with your changes, that will hit EVERY user.....
0
 
LVL 1

Author Comment

by:notta3d
ID: 34161861
Yea John I've tested this pretty heavily today and you're right that it won't update until the users next login. The problem is that a fair amount of our users stay logged in for months at a time.

I did find somewhat of a solution on the Autoit forums using an API call:

DllCall("user32.dll", "int", "SystemParametersInfo", "int", 15, "int", 300 , "int", 0, "int", 2)

Open in new window


This piece of code changes the screensaver time to the interval specified and changes it immediately. I don't know much about API calls, but it's strange in that I can't find out what changes it makes to the system. I created before and after snapshots of the system and diffed the two only to come back with no differences. All the main reg keys that we talked about in this thread are different values then what was set by the above API call. The call seems to only be temporary because when I log out and log back in it switches the screensaver timeout to what is set in the registry.

I could use a combination of both. When the script runs it checks HKEY_USERS for the screensaver values and if it's not right it sets the value to the acceptable range. Then I call the API to set the value immediately. Going to test this tomorrow at work.

Can you explain this a little more?

Honestly, I think youre better off using PSExec to push out a logon.bat file, with your changes, that will hit EVERY user.....

0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
ID: 34161939
Youre talking about hitting HKEY_Users\Sid, right? Thats only gonna hit teh current user on teh box, as not all profiles are loaded under HKEY_Users at any given time. If you have a simple login script (without a GPO to manage, you can use psexec to run the copy command against all the systems's All Users startup.....

Sounds like the method above is similar to the "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters" method, to update certain parts of the profile.....
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 34636535
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question