Group policy screensaver timeout not working on PC's

Our default domain group policy has the screensaver timeout set to 900 seconds (15 minutes).  We just installed a new software package and it requires a timeout of 15 minutes or it won't run - it wasn't running so we started to investigate.  We found that the local machine policy in the registry had the timeout set for 30 minutes so we changed that as well to 15 minutes.  The software package works for a day or two and then the timeout value changes back to 30 minutes so the package stops working.  I don't know what is changing it - shouldn't the domain group policy override everything?  Any ideas??
cindyfillerDirector of ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A group policy should indeed override the local policy.
Can you confirm that you have set not only the "Screen Saver Timeout" but also the "Enable screen Saver" and "Force specific screen saver".
Otherwise please do this:

User\Administrative Templates\Control Panel\Personalization      
Enable screen Saver      Enabled
Force specific screen saver      C:\Windows\System32\scrnsave.scr
Screen Saver Timeout      900 seconds

Password Protect the Screensaver      Enabled
cindyfillerDirector of ITAuthor Commented:
Yea - it is.  I've attached a print key of the settings
Start rsop.msc at the client and see what policy is being applied.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

cindyfillerDirector of ITAuthor Commented:
I'm glad you suggested the rsop.msc.  When I ran that I found it was set to 1800 seconds.  Someone else had originally set up our group policies so I was looking at how it was set up.  Under the default domain policy security filtering it is set to authenticated users.  All of our users are in one OU so I'm guessing I should add that OU to the policy?
cindyfillerDirector of ITAuthor Commented:
So I'm a bit confused.  Parts of the policy do work - for example the password length and complexity rules work just fine.  But the screen timeout doesn't.  

From reading it looks like the authenticated users should include all of our users, so all parts of the policy work??  Am I missing something?
If it seems that parts of the policy work then probably the whole policy is applied.
You probably alread checked if there are other GPO's that are also applied to the computer that do also contain the screensaver timeout value. As the "Default Domain Policy" is lowest in order other GPO's can override

Since this is a user policy it can also have something to do with the user group policy loopback processing mode.
Can you try to apply the following policy just for one test computer, to see if it this helps:
Computer\Administrative Templates\System\Group Policy      
User Group Policy loopback processing mode      Enabled, Replace

This is the help text for this setting:
This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.

"Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.
"Parts of the policy do work - for example the password length and complexity rules work just fine." - wait, what are you talking about, the domain password policy? That's a computer policy, while the screen saver policy is a user policy. If you have these setting in one policy, then in order to apply, it will need to be linked to an OU with both users and computers or to the domain head.

I bet it's a very simple problem. Please clarify your setup.
cindyfillerDirector of ITAuthor Commented:
You are correct - there are both user and computer policies in the one default policy and it is not linked to an OU.  I didn't set this up and assumed it was correct.  I'll link it to the proper OU and test it again.
Are you talking about the default domain policy? That one is linked t the domain head and therefore is effective in anytime anywhere unless you configure other policies to override it. So it means that it will b eeffective.
It would be best if you uploaded a screenshot of rsop with the settings in question.
cindyfillerDirector of ITAuthor Commented:
I finally found the issue using rsop as you suggested.  There was another very old policy that had a time out value and that was what was being used.  I removed the filtering on it and set to NO for both enforced and link enabled.  I did a gpupdate /force.  So far my pc isn't showing the new setting, but I assume it will shortly.
cindyfillerDirector of ITAuthor Commented:
I'm still not seeing the screen time out when I do rsop.  I've read that some options don't display when doing rsop so I did a gpresult.  It shows the policy was updated an hour ago, but also doesn't display the screen time out.  But if I look at the default domain policy in group policy management I do see the time out value is set for 900 seconds (15 minutes).  And our OU with all of our user accounts is linked to this policy.

All I'm trying to do right now is verify this has been changed.
Cindy, it is not too hard to find out :)
gpresult can show you what policy has applied and if there are competing policies, which one has won.
use the command
gpresult /h %temp%\result1.html
Afterwards, upload %temp%\result1.html and we can look at it together.
cindyfillerDirector of ITAuthor Commented:
I thought I had submitted the file yesterday, but I don't see it.  Maybe I'm blind, but I'm still not seeing that setting...
The result file shows that user you used to start gpresult does not receive ANY policies. So retry with a user that does. Or is maybe the user config section of the GPO simply set to disabled?
cindyfillerDirector of ITAuthor Commented:
That's why I'm so confused.  If I go to my default domain policy and show all settings it displays as enabled and the screen saver is set to 900 seconds.  I've attached a copy - couldn't get the report to print expanded from group policy management so did a print key.  And all users are in the OU that is linked to this default policy.

One way around this would be to go back to that old policy that I disabled and change that value, but I'd really like to understand why this isn't working.
OK. Rightclick DefDomPol and select "properties" and then navigate to the security tab. Make sure that the group "authenticated users" has the permission to read and to apply that policy.
cindyfillerDirector of ITAuthor Commented:
I've replied several times and the comments seem to disappear.  Hope this time it sticks.

I did check the security tab and authenticated users had the right to read and update the policy.  I added write even though it shouldn't be necessary.  

I had disabled the other policy that was originally giving me the wrong value, so tried to re-enable that.  I did it this morning and that one is still not showing up either - whether I do the rsop or the gpresult.  I've been testing it all afternoon and so far I get nothing for users config.
"authenticated users had the right to read and update the policy" - wait, "update"? You mean "apply"?
"I added write even though it shouldn't be necessary" - oh no, undo that at once, it is terribly dangerous to enable users to write to policies, your whole domain could get owned.
cindyfillerDirector of ITAuthor Commented:
Yes - apply the policy.  And I did remove the write...  Still can't figure out why nothing is showing in the user config.
It would stay empty if that user is either a local user or access to the policy folder is denied. Test to access that policy files manually with that very user.
cindyfillerDirector of ITAuthor Commented:
This morning, the user config is working.  The enable screen saver is coming from the default domain while the actual timeout value is coming from that old policy.  I still don't understand why the default domain timeout value never worked, but something is working and I'm good with that.  

I've learned a lot and thank you again for your assistance.  It was very, very appreciated and I'm sure more time consuming than you ever thought.
cindyfillerDirector of ITAuthor Commented:
Super help - provided continual assistance
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.