Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Set Screensaver without GPO?

Posted on 2010-11-11
9
Medium Priority
?
662 Views
Last Modified: 2012-05-10
I have about 500 machines that I support and I need to set the screensaver duration to the corporate standard. The problem here is that the use of GPO from the AD level will never be an option for us(not my choice, just the way it is.) What are my options?

The local computer policy works very nicely but I have not found a way to script that. I read about creating your own security policy, but everything I've read seems to suggest that it can only be done at the machine level, but the screensaver settings are at the user level. The only other option I can think of that might work is the registry. The problem with that is that screensaver settings are stored in the current user hive so I will miss machines if no users are logged in.

All these machines are Windows XP and I have a utility like psexec to run any automation method on all the machines. I plan to have this run nightly to enforce the settings. I would appreciate any suggestions you might have.
0
Comment
Question by:notta3d
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 11

Expert Comment

by:slemmesmi
ID: 34118426
Dear notta3d,

you can script (e.g. in login script) changes/definition of the screen saver.
The values for the screen saver in registry in the hive HKCU\Control Panel\Desktop and you can find the similar under the HK_USERS\.DEFAULT\
So by setting the screen saver up under your account, you can see which settings have to be matched.

You can find many resources on the Internet, e.g.:
http://www.fixregistry.com/regtricks/screensaver.htm

Kind regards,
Soren
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34120414
I"m sorry, but PSExec will not targe the CurrentUser reg hives of the remote users.  Any commands would target the account you launched PSExec under, eg your own...)

Could contain something simple like

REM Hides the Screensaver Tab....
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispScrSavPage" /t reg_dword /d 0x1 /f
REM Its Active
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaveActive" /d 1 /f
REM Requires a password on unlock
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaverIsSecure" /d 1 /f
REM out in seconds
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaveTimeOut" /d 900
REM Which Screensaver....
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "SCRNSAVE.EXE" /d "C:\Path\To\Screensaver.scr" /f

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34120472
By the way, thats where GPO sets them..... The spot above is where the user sets them.... Might wanna do both just in case....
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 1

Author Comment

by:notta3d
ID: 34159462
Thanks for the replies guys. Both are great posts and very useful.You're right psexec is not going to allow me to get to CURRENT_USER. What I'm going to have to do is loop through HKEY_USERS and set the values there. I'm also not going to be able to use HKEY_CURRENT_USER\Software\Policies\ because this disables the option for them to make changes. I have to let them to be able to make changes, but I still want to enforce them to have the lockout duration in the range that we specify.

I've run into a snag. I'm able to set the screensaver and enable the ScreenSaveIsSecure, but when I set the duration in the registry it does not change in the Windows Screen Saver property window. If I set value in the Screen Saver windows it makes the changes in the registry, but not vica versa. Have you guys seen this? Is there a way around it?

By the way when I say I'm going to use HKEY_USERS I mean HKEY_USERS\UserSID\Control Panel\Desktop.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34161760
I think it might not show until next logon? may ber off a tad.....

Also....

HKEY_USERS\UserSID\Control Panel\Desktop is going to technically get the Remote PC's Current User, as the only hives loaded there are ones that are interactively logged on to teh PC, or via a Run As/Secondary Session....

As long as you dont use "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispScrSavPage" /t reg_dword /d 0x1", they should still be able to set the SS......

Honestly, I think youre better off using PSExec to push out a logon.bat file, with your changes, that will hit EVERY user.....
0
 
LVL 1

Author Comment

by:notta3d
ID: 34161861
Yea John I've tested this pretty heavily today and you're right that it won't update until the users next login. The problem is that a fair amount of our users stay logged in for months at a time.

I did find somewhat of a solution on the Autoit forums using an API call:

DllCall("user32.dll", "int", "SystemParametersInfo", "int", 15, "int", 300 , "int", 0, "int", 2)

Open in new window


This piece of code changes the screensaver time to the interval specified and changes it immediately. I don't know much about API calls, but it's strange in that I can't find out what changes it makes to the system. I created before and after snapshots of the system and diffed the two only to come back with no differences. All the main reg keys that we talked about in this thread are different values then what was set by the above API call. The call seems to only be temporary because when I log out and log back in it switches the screensaver timeout to what is set in the registry.

I could use a combination of both. When the script runs it checks HKEY_USERS for the screensaver values and if it's not right it sets the value to the acceptable range. Then I call the API to set the value immediately. Going to test this tomorrow at work.

Can you explain this a little more?

Honestly, I think youre better off using PSExec to push out a logon.bat file, with your changes, that will hit EVERY user.....

0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 2000 total points
ID: 34161939
Youre talking about hitting HKEY_Users\Sid, right? Thats only gonna hit teh current user on teh box, as not all profiles are loaded under HKEY_Users at any given time. If you have a simple login script (without a GPO to manage, you can use psexec to run the copy command against all the systems's All Users startup.....

Sounds like the method above is similar to the "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters" method, to update certain parts of the profile.....
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 34636535
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question