?
Solved

Set Screensaver without GPO?

Posted on 2010-11-11
9
Medium Priority
?
656 Views
Last Modified: 2012-05-10
I have about 500 machines that I support and I need to set the screensaver duration to the corporate standard. The problem here is that the use of GPO from the AD level will never be an option for us(not my choice, just the way it is.) What are my options?

The local computer policy works very nicely but I have not found a way to script that. I read about creating your own security policy, but everything I've read seems to suggest that it can only be done at the machine level, but the screensaver settings are at the user level. The only other option I can think of that might work is the registry. The problem with that is that screensaver settings are stored in the current user hive so I will miss machines if no users are logged in.

All these machines are Windows XP and I have a utility like psexec to run any automation method on all the machines. I plan to have this run nightly to enforce the settings. I would appreciate any suggestions you might have.
0
Comment
Question by:notta3d
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 11

Expert Comment

by:slemmesmi
ID: 34118426
Dear notta3d,

you can script (e.g. in login script) changes/definition of the screen saver.
The values for the screen saver in registry in the hive HKCU\Control Panel\Desktop and you can find the similar under the HK_USERS\.DEFAULT\
So by setting the screen saver up under your account, you can see which settings have to be matched.

You can find many resources on the Internet, e.g.:
http://www.fixregistry.com/regtricks/screensaver.htm

Kind regards,
Soren
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34120414
I"m sorry, but PSExec will not targe the CurrentUser reg hives of the remote users.  Any commands would target the account you launched PSExec under, eg your own...)

Could contain something simple like

REM Hides the Screensaver Tab....
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispScrSavPage" /t reg_dword /d 0x1 /f
REM Its Active
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaveActive" /d 1 /f
REM Requires a password on unlock
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaverIsSecure" /d 1 /f
REM out in seconds
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "ScreenSaveTimeOut" /d 900
REM Which Screensaver....
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v "SCRNSAVE.EXE" /d "C:\Path\To\Screensaver.scr" /f

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34120472
By the way, thats where GPO sets them..... The spot above is where the user sets them.... Might wanna do both just in case....
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:notta3d
ID: 34159462
Thanks for the replies guys. Both are great posts and very useful.You're right psexec is not going to allow me to get to CURRENT_USER. What I'm going to have to do is loop through HKEY_USERS and set the values there. I'm also not going to be able to use HKEY_CURRENT_USER\Software\Policies\ because this disables the option for them to make changes. I have to let them to be able to make changes, but I still want to enforce them to have the lockout duration in the range that we specify.

I've run into a snag. I'm able to set the screensaver and enable the ScreenSaveIsSecure, but when I set the duration in the registry it does not change in the Windows Screen Saver property window. If I set value in the Screen Saver windows it makes the changes in the registry, but not vica versa. Have you guys seen this? Is there a way around it?

By the way when I say I'm going to use HKEY_USERS I mean HKEY_USERS\UserSID\Control Panel\Desktop.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34161760
I think it might not show until next logon? may ber off a tad.....

Also....

HKEY_USERS\UserSID\Control Panel\Desktop is going to technically get the Remote PC's Current User, as the only hives loaded there are ones that are interactively logged on to teh PC, or via a Run As/Secondary Session....

As long as you dont use "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispScrSavPage" /t reg_dword /d 0x1", they should still be able to set the SS......

Honestly, I think youre better off using PSExec to push out a logon.bat file, with your changes, that will hit EVERY user.....
0
 
LVL 1

Author Comment

by:notta3d
ID: 34161861
Yea John I've tested this pretty heavily today and you're right that it won't update until the users next login. The problem is that a fair amount of our users stay logged in for months at a time.

I did find somewhat of a solution on the Autoit forums using an API call:

DllCall("user32.dll", "int", "SystemParametersInfo", "int", 15, "int", 300 , "int", 0, "int", 2)

Open in new window


This piece of code changes the screensaver time to the interval specified and changes it immediately. I don't know much about API calls, but it's strange in that I can't find out what changes it makes to the system. I created before and after snapshots of the system and diffed the two only to come back with no differences. All the main reg keys that we talked about in this thread are different values then what was set by the above API call. The call seems to only be temporary because when I log out and log back in it switches the screensaver timeout to what is set in the registry.

I could use a combination of both. When the script runs it checks HKEY_USERS for the screensaver values and if it's not right it sets the value to the acceptable range. Then I call the API to set the value immediately. Going to test this tomorrow at work.

Can you explain this a little more?

Honestly, I think youre better off using PSExec to push out a logon.bat file, with your changes, that will hit EVERY user.....

0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 2000 total points
ID: 34161939
Youre talking about hitting HKEY_Users\Sid, right? Thats only gonna hit teh current user on teh box, as not all profiles are loaded under HKEY_Users at any given time. If you have a simple login script (without a GPO to manage, you can use psexec to run the copy command against all the systems's All Users startup.....

Sounds like the method above is similar to the "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters" method, to update certain parts of the profile.....
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 34636535
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question