Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Windows 7 not locking after set period of time even though set in Server 2003 GPO

We have an SBS 2003 domain. I have a GPO that is called 'lockup'. In it, the following user configuration options have been set:-

Screen Saver - Enabled
Screen Saver Executable - %windir%\system32\rundll32.exe user32.dll,LockWorkStation
Password Protect on resume - Enabled
Screen Saver Timeout - 300

This GPO is set at the domain level, and is limited to the MYDOMAIN\Lockup group only.

I have a Windows 7 notebook on the domain with the primary user as a member of the MYDOMAIN\Lockup group, but the laptop does NOT lock after 5 minutes as I would hope.

I have run RSoP against his account on his machine, and I can see that the settings of my policy 'appear' to be in effect, but it just doesn't work.

The policy is enforced, and no other policies are overriding these settings.

Any ideas please?
Chris Millard
Chris Millard
1 Solution
Brad GrouxSenior Manager (Wintel Engineering)Commented:
Verify that the BIOS levels on the machine in question are up to date.

Also, insure that even though the GPO is enforced, do a gpupdate /force from the command line and then a gpresults to insure it is being applied.

If it is being applied, then verify that the registry setting is being changed in the registry.

1. Open regedit
2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- If System key doesn't exist, create it
3. Verify and/or create a DWORD 32-bit value and name it to DisableLockWorkstation
4. Edit DisableLockWorkstation and enter 0 for Value data:
Chris MillardAuthor Commented:
Hi Brad,  

I can't check the BIOS until Monday, but the other things you mentioned have already been done.

Hypercat (Deb)Commented:
Not all settings in the Windows 2003 version of group policies will work with Windows 7.  Windows 7 uses a newer version of group policies.  If you're going to have more Windows 7 machines on your domain with a Windows 2003 server, you'll want to set your Windows 7 policies locally on one Windows 7 machine and then upload the Windows\PolicyDefinitions folder from that machine to your server. Then you would need to manage them from the GPMC installed on a Windows 7 workstation, not the server.  If you're just going to have this one Windows 7 machine on the domain, set the policy locally on that machine.
We recently had a machine with the same behaviour. All other machines abided by the policy, just this one wouldnt. Ultimately I found that the idle timer on this computer was never incrementing past 0.  I used an idle time viewer similar tohttp://www.daanav.com/free-idle-timer-utility-for-windows/ .  Turns out the driver for our mouse was not installed and was causing the idle timer issue.
Chris MillardAuthor Commented:
Updating the BIOS has resolved this issue. I don't claim to understand why though!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now