mamelas
asked on
Windows 10 Lock Screen Inactivity Limit
Dear Experts,
My Domain Controller is a Windows Server 2012 Standard.
My Clients are mixed workstations of Win 7 Pro and Win 10 Pro since we are currently upgrading all clients to Win 10 Pro.
The upgraded Win 10 users were complaining that the computer will auto-lock in short period of time (about 20 minutes).
From the other side the existing Win 7 clients are not affected from the auto-lock issue.
If you leave the Win 7 client unlocked it will remain unlocked.
Same applies to Windows Server 2012 Domain Controller.
In addition please be advised that nothing was initially changed from Domain's Group Policy.
Once the Win 10 Client joined the Domain it would automatically receive this 20 minutes auto-lock.
I searched the internet to locate the correct group policy in order to increase the auto-lock from 20minutes to 60minutes.
I found an article indicating the setting "Interactive logon: Machine Inactivity Limit".
In order to test the setting, I entered 30seconds and I confirmed that the Windows 10 would now lock from 20minutes to about 40seconds.
Following I changed again the setting from 30seconds to 3600seconds (1hour) but unfortunately the auto-lock remains at 40seconds.
I have tried with no luck to:
- gpupdate /force domain controller
- reboot domain controller
- disable "Interactive logon: Machine Inactivity Limit" setting
- reboot Win 10 client
Under Group Policy Objects of the Domain Controller I have two options 1) Default Domain Controllers Policy and 2) Default Domain Policy, which was the one that I changed the "Interactive logon: Machine Inactivity Limit" value.
Should I change it under "Default Domain Controllers Policy" or both?
Are the above the correct settings/steps for globally increasing the auto-lock feature?
What should I do next?
My Domain Controller is a Windows Server 2012 Standard.
My Clients are mixed workstations of Win 7 Pro and Win 10 Pro since we are currently upgrading all clients to Win 10 Pro.
The upgraded Win 10 users were complaining that the computer will auto-lock in short period of time (about 20 minutes).
From the other side the existing Win 7 clients are not affected from the auto-lock issue.
If you leave the Win 7 client unlocked it will remain unlocked.
Same applies to Windows Server 2012 Domain Controller.
In addition please be advised that nothing was initially changed from Domain's Group Policy.
Once the Win 10 Client joined the Domain it would automatically receive this 20 minutes auto-lock.
I searched the internet to locate the correct group policy in order to increase the auto-lock from 20minutes to 60minutes.
I found an article indicating the setting "Interactive logon: Machine Inactivity Limit".
In order to test the setting, I entered 30seconds and I confirmed that the Windows 10 would now lock from 20minutes to about 40seconds.
Following I changed again the setting from 30seconds to 3600seconds (1hour) but unfortunately the auto-lock remains at 40seconds.
I have tried with no luck to:
- gpupdate /force domain controller
- reboot domain controller
- disable "Interactive logon: Machine Inactivity Limit" setting
- reboot Win 10 client
Under Group Policy Objects of the Domain Controller I have two options 1) Default Domain Controllers Policy and 2) Default Domain Policy, which was the one that I changed the "Interactive logon: Machine Inactivity Limit" value.
Should I change it under "Default Domain Controllers Policy" or both?
Are the above the correct settings/steps for globally increasing the auto-lock feature?
What should I do next?
Did you gpupdate /force ?
ASKER
Dear Orkun Nalbantoglu,
As I already mentioned both Domain Controller and Client were gpupdated and rebooted but the results are currently 40sec and the relevant policy is disabled from the Domain Controller.
As I already mentioned both Domain Controller and Client were gpupdated and rebooted but the results are currently 40sec and the relevant policy is disabled from the Domain Controller.
ASKER
I eventually created a separate policy for the "Interactive logon: Machine Inactivity Limit". I also added Screen Saver deny policies as per below screenshot.
On top of that, I "Linked Enforced" subject policy (to avoid blocking it from parent policies)
It seems to work but I will monitor it the following hours.
Anybody knows why it was not accepted under the Default Domain Policy?
On top of that, I "Linked Enforced" subject policy (to avoid blocking it from parent policies)
It seems to work but I will monitor it the following hours.
Anybody knows why it was not accepted under the Default Domain Policy?
One should never modify the default domain policy nor the default domain controller policy. I always make a new policy liike you have done that has the changes.
Asked regularly.
Most often, in my opinion, answered by modifying the power settings for the screen. If the screen turns off after 40 seconds, the password will be asked for to wake it up, as well.
Most often, in my opinion, answered by modifying the power settings for the screen. If the screen turns off after 40 seconds, the password will be asked for to wake it up, as well.
You are reflecting computer settings, the screen saver, powermanagement and personal user settings have to be verified.
20 minutes these days is the screen off power setting.
As others pointed out if you have a login required to resume.
Depending on your field, leaving a system unlocked is unwise.
You are sacrificing sevurity, integrity if data for user convenience.
20 minutes these days is the screen off power setting.
As others pointed out if you have a login required to resume.
Depending on your field, leaving a system unlocked is unwise.
You are sacrificing sevurity, integrity if data for user convenience.
ASKER
Dear All,
Thank you for your comments.
It true that although I have created the above Group Policy, the clients would eventually lock after about 15minutes.
All clients, under Power Settings, have a default “screen off” value at 15minutes.
I increased this value to 1 hour.
BUT I do not understand how-and-if the Group policy is affecting the lock period.
During testing I set under Group Policy (in order to test that I am on the correct setting) the lock out period to 30seconds and indeed the clients would lock after 30seconds although the screen off setting on the clients was 15minutes.
So, in this test Group Policy won.
After increasing the value on the Group Policy
to 3600seconds, clients were ignoring this setting and they were using the local “screen off” value of 15minutes.
So in this test Group Policy was ignored and the local computer setting won.
Currently I have the Group Policy setting to 3600sec and the clients screen off setting to 1 hour and seems to be working.
Q1) Do I actually need to have this Group Policy or should I delete it?
Q2) Is it normal that the Group Policy was not ignored when the value was lower than the local screen off setting but when was higher the local screen off setting was applied?
Thank you for your comments.
It true that although I have created the above Group Policy, the clients would eventually lock after about 15minutes.
All clients, under Power Settings, have a default “screen off” value at 15minutes.
I increased this value to 1 hour.
BUT I do not understand how-and-if the Group policy is affecting the lock period.
During testing I set under Group Policy (in order to test that I am on the correct setting) the lock out period to 30seconds and indeed the clients would lock after 30seconds although the screen off setting on the clients was 15minutes.
So, in this test Group Policy won.
After increasing the value on the Group Policy
to 3600seconds, clients were ignoring this setting and they were using the local “screen off” value of 15minutes.
So in this test Group Policy was ignored and the local computer setting won.
Currently I have the Group Policy setting to 3600sec and the clients screen off setting to 1 hour and seems to be working.
Q1) Do I actually need to have this Group Policy or should I delete it?
Q2) Is it normal that the Group Policy was not ignored when the value was lower than the local screen off setting but when was higher the local screen off setting was applied?
Both settings lock the screen, there is no hierarchy, nobody is winning, but whatever comes first, counts.
As easy as that.
So screen off after 15 mins will lock the screen after 15 mins unless the inactivity limit is less than 15 mins.
As easy as that.
So screen off after 15 mins will lock the screen after 15 mins unless the inactivity limit is less than 15 mins.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thank you both for your responses.
If I remember well, the screen saver and required password on wake up are turned to off.
Thus the client will switch directly to Windows lock screen and the screen saver will not mediate.
From both replies I also understand that for the screen time out setting there is hierarchy between GPO and Local Client Settings.
In the view of the above I could either set a GPO for the screen time out and delete the current GPO setting or simply adjust
this setting on each client separately.
If I remember well, the screen saver and required password on wake up are turned to off.
Thus the client will switch directly to Windows lock screen and the screen saver will not mediate.
From both replies I also understand that for the screen time out setting there is hierarchy between GPO and Local Client Settings.
In the view of the above I could either set a GPO for the screen time out and delete the current GPO setting or simply adjust
this setting on each client separately.
Certain settings are part of the default domain policy.
Use gpmc on the server to generate results, run it again the workstation and user
You can then look through the details to see what setting comes from where.
Note screen saver settings can be computer wide as well as individualized for users.
The lock ...
Use gpmc on the server to generate results, run it again the workstation and user
You can then look through the details to see what setting comes from where.
Note screen saver settings can be computer wide as well as individualized for users.
The lock ...
ASKER
Thank you for your time and comments.