Group policy screensaver timeout not working on PC's

Our default domain group policy has the screensaver timeout set to 900 seconds (15 minutes).  We just installed a new software package and it requires a timeout of 15 minutes or it won't run - it wasn't running so we started to investigate.  We found that the local machine policy in the registry had the timeout set for 30 minutes so we changed that as well to 15 minutes.  The software package works for a day or two and then the timeout value changes back to 30 minutes so the package stops working.  I don't know what is changing it - shouldn't the domain group policy override everything?  Any ideas??
cindyfillerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zalazarCommented:
A group policy should indeed override the local policy.
Can you confirm that you have set not only the "Screen Saver Timeout" but also the "Enable screen Saver" and "Force specific screen saver".
Otherwise please do this:

User\Administrative Templates\Control Panel\Personalization      
Enable screen Saver      Enabled
Force specific screen saver      C:\Windows\System32\scrnsave.scr
Screen Saver Timeout      900 seconds

Optional:
Password Protect the Screensaver      Enabled
0
cindyfillerAuthor Commented:
Yea - it is.  I've attached a print key of the settings
C--Users-csf-Desktop-screen-saver.jpg
0
McKnifeCommented:
Start rsop.msc at the client and see what policy is being applied.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

cindyfillerAuthor Commented:
I'm glad you suggested the rsop.msc.  When I ran that I found it was set to 1800 seconds.  Someone else had originally set up our group policies so I was looking at how it was set up.  Under the default domain policy security filtering it is set to authenticated users.  All of our users are in one OU so I'm guessing I should add that OU to the policy?
0
McKnifeCommented:
Sure.
0
cindyfillerAuthor Commented:
So I'm a bit confused.  Parts of the policy do work - for example the password length and complexity rules work just fine.  But the screen timeout doesn't.  

From reading it looks like the authenticated users should include all of our users, so all parts of the policy work??  Am I missing something?
0
zalazarCommented:
If it seems that parts of the policy work then probably the whole policy is applied.
You probably alread checked if there are other GPO's that are also applied to the computer that do also contain the screensaver timeout value. As the "Default Domain Policy" is lowest in order other GPO's can override

Since this is a user policy it can also have something to do with the user group policy loopback processing mode.
Can you try to apply the following policy just for one test computer, to see if it this helps:
Computer\Administrative Templates\System\Group Policy      
User Group Policy loopback processing mode      Enabled, Replace

This is the help text for this setting:
Help/
This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.

"Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.
/Help
0
McKnifeCommented:
"Parts of the policy do work - for example the password length and complexity rules work just fine." - wait, what are you talking about, the domain password policy? That's a computer policy, while the screen saver policy is a user policy. If you have these setting in one policy, then in order to apply, it will need to be linked to an OU with both users and computers or to the domain head.

I bet it's a very simple problem. Please clarify your setup.
0
cindyfillerAuthor Commented:
You are correct - there are both user and computer policies in the one default policy and it is not linked to an OU.  I didn't set this up and assumed it was correct.  I'll link it to the proper OU and test it again.
0
McKnifeCommented:
Are you talking about the default domain policy? That one is linked t the domain head and therefore is effective in anytime anywhere unless you configure other policies to override it. So it means that it will b eeffective.
It would be best if you uploaded a screenshot of rsop with the settings in question.
0
cindyfillerAuthor Commented:
I finally found the issue using rsop as you suggested.  There was another very old policy that had a time out value and that was what was being used.  I removed the filtering on it and set to NO for both enforced and link enabled.  I did a gpupdate /force.  So far my pc isn't showing the new setting, but I assume it will shortly.
0
cindyfillerAuthor Commented:
I'm still not seeing the screen time out when I do rsop.  I've read that some options don't display when doing rsop so I did a gpresult.  It shows the policy was updated an hour ago, but also doesn't display the screen time out.  But if I look at the default domain policy in group policy management I do see the time out value is set for 900 seconds (15 minutes).  And our OU with all of our user accounts is linked to this policy.

All I'm trying to do right now is verify this has been changed.
0
McKnifeCommented:
Cindy, it is not too hard to find out :)
gpresult can show you what policy has applied and if there are competing policies, which one has won.
use the command
gpresult /h %temp%\result1.html
Afterwards, upload %temp%\result1.html and we can look at it together.
0
cindyfillerAuthor Commented:
I thought I had submitted the file yesterday, but I don't see it.  Maybe I'm blind, but I'm still not seeing that setting...
C--Users-csf-Desktop-result1.html
0
McKnifeCommented:
The result file shows that user you used to start gpresult does not receive ANY policies. So retry with a user that does. Or is maybe the user config section of the GPO simply set to disabled?
0
cindyfillerAuthor Commented:
That's why I'm so confused.  If I go to my default domain policy and show all settings it displays as enabled and the screen saver is set to 900 seconds.  I've attached a copy - couldn't get the report to print expanded from group policy management so did a print key.  And all users are in the OU that is linked to this default policy.

One way around this would be to go back to that old policy that I disabled and change that value, but I'd really like to understand why this isn't working.
C--Users-csf-Desktop-user-settings.docx
0
McKnifeCommented:
OK. Rightclick DefDomPol and select "properties" and then navigate to the security tab. Make sure that the group "authenticated users" has the permission to read and to apply that policy.
0
cindyfillerAuthor Commented:
I've replied several times and the comments seem to disappear.  Hope this time it sticks.

I did check the security tab and authenticated users had the right to read and update the policy.  I added write even though it shouldn't be necessary.  

I had disabled the other policy that was originally giving me the wrong value, so tried to re-enable that.  I did it this morning and that one is still not showing up either - whether I do the rsop or the gpresult.  I've been testing it all afternoon and so far I get nothing for users config.
0
McKnifeCommented:
"authenticated users had the right to read and update the policy" - wait, "update"? You mean "apply"?
"I added write even though it shouldn't be necessary" - oh no, undo that at once, it is terribly dangerous to enable users to write to policies, your whole domain could get owned.
0
cindyfillerAuthor Commented:
Yes - apply the policy.  And I did remove the write...  Still can't figure out why nothing is showing in the user config.
0
McKnifeCommented:
It would stay empty if that user is either a local user or access to the policy folder is denied. Test to access that policy files manually with that very user.
0
cindyfillerAuthor Commented:
This morning, the user config is working.  The enable screen saver is coming from the default domain while the actual timeout value is coming from that old policy.  I still don't understand why the default domain timeout value never worked, but something is working and I'm good with that.  

I've learned a lot and thank you again for your assistance.  It was very, very appreciated and I'm sure more time consuming than you ever thought.
0
McKnifeCommented:
Fine!
0
cindyfillerAuthor Commented:
Super help - provided continual assistance
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.