Link to home
Start Free TrialLog in
Avatar of cindyfiller
cindyfillerFlag for United States of America

asked on

Group policy screensaver timeout not working on PC's

Our default domain group policy has the screensaver timeout set to 900 seconds (15 minutes).  We just installed a new software package and it requires a timeout of 15 minutes or it won't run - it wasn't running so we started to investigate.  We found that the local machine policy in the registry had the timeout set for 30 minutes so we changed that as well to 15 minutes.  The software package works for a day or two and then the timeout value changes back to 30 minutes so the package stops working.  I don't know what is changing it - shouldn't the domain group policy override everything?  Any ideas??
Avatar of zalazar
zalazar

A group policy should indeed override the local policy.
Can you confirm that you have set not only the "Screen Saver Timeout" but also the "Enable screen Saver" and "Force specific screen saver".
Otherwise please do this:

User\Administrative Templates\Control Panel\Personalization      
Enable screen Saver      Enabled
Force specific screen saver      C:\Windows\System32\scrnsave.scr
Screen Saver Timeout      900 seconds

Optional:
Password Protect the Screensaver      Enabled
Avatar of cindyfiller

ASKER

Yea - it is.  I've attached a print key of the settings
C--Users-csf-Desktop-screen-saver.jpg
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I'm glad you suggested the rsop.msc.  When I ran that I found it was set to 1800 seconds.  Someone else had originally set up our group policies so I was looking at how it was set up.  Under the default domain policy security filtering it is set to authenticated users.  All of our users are in one OU so I'm guessing I should add that OU to the policy?
Sure.
So I'm a bit confused.  Parts of the policy do work - for example the password length and complexity rules work just fine.  But the screen timeout doesn't.  

From reading it looks like the authenticated users should include all of our users, so all parts of the policy work??  Am I missing something?
If it seems that parts of the policy work then probably the whole policy is applied.
You probably alread checked if there are other GPO's that are also applied to the computer that do also contain the screensaver timeout value. As the "Default Domain Policy" is lowest in order other GPO's can override

Since this is a user policy it can also have something to do with the user group policy loopback processing mode.
Can you try to apply the following policy just for one test computer, to see if it this helps:
Computer\Administrative Templates\System\Group Policy      
User Group Policy loopback processing mode      Enabled, Replace

This is the help text for this setting:
Help/
This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.

"Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.
/Help
"Parts of the policy do work - for example the password length and complexity rules work just fine." - wait, what are you talking about, the domain password policy? That's a computer policy, while the screen saver policy is a user policy. If you have these setting in one policy, then in order to apply, it will need to be linked to an OU with both users and computers or to the domain head.

I bet it's a very simple problem. Please clarify your setup.
You are correct - there are both user and computer policies in the one default policy and it is not linked to an OU.  I didn't set this up and assumed it was correct.  I'll link it to the proper OU and test it again.
Are you talking about the default domain policy? That one is linked t the domain head and therefore is effective in anytime anywhere unless you configure other policies to override it. So it means that it will b eeffective.
It would be best if you uploaded a screenshot of rsop with the settings in question.
I finally found the issue using rsop as you suggested.  There was another very old policy that had a time out value and that was what was being used.  I removed the filtering on it and set to NO for both enforced and link enabled.  I did a gpupdate /force.  So far my pc isn't showing the new setting, but I assume it will shortly.
I'm still not seeing the screen time out when I do rsop.  I've read that some options don't display when doing rsop so I did a gpresult.  It shows the policy was updated an hour ago, but also doesn't display the screen time out.  But if I look at the default domain policy in group policy management I do see the time out value is set for 900 seconds (15 minutes).  And our OU with all of our user accounts is linked to this policy.

All I'm trying to do right now is verify this has been changed.
Cindy, it is not too hard to find out :)
gpresult can show you what policy has applied and if there are competing policies, which one has won.
use the command
gpresult /h %temp%\result1.html
Afterwards, upload %temp%\result1.html and we can look at it together.
I thought I had submitted the file yesterday, but I don't see it.  Maybe I'm blind, but I'm still not seeing that setting...
C--Users-csf-Desktop-result1.html
The result file shows that user you used to start gpresult does not receive ANY policies. So retry with a user that does. Or is maybe the user config section of the GPO simply set to disabled?
That's why I'm so confused.  If I go to my default domain policy and show all settings it displays as enabled and the screen saver is set to 900 seconds.  I've attached a copy - couldn't get the report to print expanded from group policy management so did a print key.  And all users are in the OU that is linked to this default policy.

One way around this would be to go back to that old policy that I disabled and change that value, but I'd really like to understand why this isn't working.
C--Users-csf-Desktop-user-settings.docx
OK. Rightclick DefDomPol and select "properties" and then navigate to the security tab. Make sure that the group "authenticated users" has the permission to read and to apply that policy.
I've replied several times and the comments seem to disappear.  Hope this time it sticks.

I did check the security tab and authenticated users had the right to read and update the policy.  I added write even though it shouldn't be necessary.  

I had disabled the other policy that was originally giving me the wrong value, so tried to re-enable that.  I did it this morning and that one is still not showing up either - whether I do the rsop or the gpresult.  I've been testing it all afternoon and so far I get nothing for users config.
"authenticated users had the right to read and update the policy" - wait, "update"? You mean "apply"?
"I added write even though it shouldn't be necessary" - oh no, undo that at once, it is terribly dangerous to enable users to write to policies, your whole domain could get owned.
Yes - apply the policy.  And I did remove the write...  Still can't figure out why nothing is showing in the user config.
It would stay empty if that user is either a local user or access to the policy folder is denied. Test to access that policy files manually with that very user.
This morning, the user config is working.  The enable screen saver is coming from the default domain while the actual timeout value is coming from that old policy.  I still don't understand why the default domain timeout value never worked, but something is working and I'm good with that.  

I've learned a lot and thank you again for your assistance.  It was very, very appreciated and I'm sure more time consuming than you ever thought.
Fine!
Super help - provided continual assistance