Avatar of mamelas
Flag for Greece asked on

Windows 10 Lock Screen Inactivity Limit

Dear Experts,

My Domain Controller is a Windows Server 2012 Standard.
My Clients are mixed workstations of Win 7 Pro and Win 10 Pro since we are currently upgrading all clients to Win 10 Pro.

The upgraded Win 10 users were complaining that the computer will auto-lock in short period of time (about 20 minutes).
From the other side the existing Win 7 clients are not affected from the auto-lock issue.
If you leave the Win 7 client unlocked it will remain unlocked.
Same applies to Windows Server 2012 Domain Controller.

In addition please be advised that nothing was initially changed from Domain's Group Policy.
Once the Win 10 Client joined the Domain it would automatically receive this 20 minutes auto-lock.

I searched the internet to locate the correct group policy in order to increase the auto-lock from 20minutes to 60minutes.

I found an article indicating the setting "Interactive logon: Machine Inactivity Limit".
In order to test the setting, I entered 30seconds and I confirmed that the Windows 10 would now lock from 20minutes to about 40seconds.
Following I changed again the setting from 30seconds to 3600seconds (1hour) but unfortunately the auto-lock remains at 40seconds.

I have tried with no luck to:
- gpupdate /force domain controller
- reboot domain controller
- disable "Interactive logon: Machine Inactivity Limit" setting
- reboot Win 10 client

Under Group Policy Objects of the Domain Controller I have two options 1) Default Domain Controllers Policy and 2) Default Domain Policy, which was the one that I changed the "Interactive logon: Machine Inactivity Limit" value.
Should I change it under "Default Domain Controllers Policy" or both?

Are the above the correct settings/steps for globally increasing the auto-lock feature?

What should I do next?
Windows 10Windows OSWindows Server 2012

Avatar of undefined
Last Comment

8/22/2022 - Mon
Orkun Nalbantoglu

Did you gpupdate /force ?

Dear Orkun Nalbantoglu,

As I already mentioned both Domain Controller and Client were gpupdated and rebooted but the results are currently 40sec and the relevant policy is disabled from the Domain Controller.

I eventually created a separate policy for the "Interactive logon: Machine Inactivity Limit". I also added Screen Saver deny policies as per below screenshot.
On top of that, I "Linked Enforced" subject policy (to avoid blocking it from parent policies)

It seems to work but I will monitor it the following hours.

Anybody knows why it was not accepted under the Default Domain Policy?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
David Johnson, CD

One should never modify the default domain policy nor the default domain controller policy. I always make a new policy liike you have done that has the changes.

Asked regularly.
Most often, in my opinion, answered by modifying the power settings for the screen. If the screen turns off after 40 seconds, the password will be asked for to wake it up, as well.

You are reflecting computer settings, the screen saver, powermanagement and personal user settings have to be verified.
20 minutes these days is the screen off power setting.
As others pointed out if you have a login required to resume.

Depending on your field, leaving a system unlocked is unwise.
You are sacrificing sevurity, integrity if data for user convenience.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

Dear All,

Thank you for your comments.

It true that although I have created the above Group Policy, the clients would eventually lock after about 15minutes.

All clients, under Power Settings, have a default “screen off” value at 15minutes.

I increased this value to 1 hour.

BUT I do not understand how-and-if the Group policy is affecting the lock period.

During testing I set under Group Policy (in order to test that I am on the correct setting) the lock out period to 30seconds and indeed the clients would lock after 30seconds although the screen off setting on the clients was 15minutes.
So, in this test Group Policy won.

After increasing the value on the Group Policy
to 3600seconds, clients were ignoring this setting and they were using the local “screen off” value of 15minutes.
So in this test Group Policy was ignored and the local computer setting won.

Currently I have the Group Policy setting to 3600sec and the clients screen off setting to 1 hour and seems to be working.

Q1) Do I actually need to have this Group Policy or should I delete it?

Q2) Is it normal that the Group Policy was not ignored when the value was lower than the local screen off setting but when was higher the local screen off setting was applied?

Both settings lock the screen, there is no hierarchy, nobody is winning, but whatever comes first, counts.
As easy as that.

So screen off after 15 mins will lock the screen after 15 mins unless the inactivity limit is less than 15 mins.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thank you both for your responses.

If I remember well, the screen saver and required password on wake up are turned to off.
Thus the client will switch directly to Windows lock screen and the screen saver will not mediate.

From both replies I also understand that for the screen time out setting there is hierarchy between GPO and Local Client Settings.

In the view of the above I could either set a GPO for the screen time out and delete the current GPO setting or simply adjust
this setting on each client separately.
Your help has saved me hundreds of hours of internet surfing.

Certain settings are part of the default domain policy.

Use gpmc on the server to generate results, run it again the workstation and user
You can then look through the details to see what setting comes from where.
Note screen saver settings can be computer wide as well as individualized for users.

The lock ...

Thank you for your time and comments.