We help IT Professionals succeed at work.

Windows 10 Lock Screen Inactivity Limit

Medium Priority
63 Views
1 Endorsement
Last Modified: 2020-02-22
Dear Experts,

My Domain Controller is a Windows Server 2012 Standard.
My Clients are mixed workstations of Win 7 Pro and Win 10 Pro since we are currently upgrading all clients to Win 10 Pro.

The upgraded Win 10 users were complaining that the computer will auto-lock in short period of time (about 20 minutes).
From the other side the existing Win 7 clients are not affected from the auto-lock issue.
If you leave the Win 7 client unlocked it will remain unlocked.
Same applies to Windows Server 2012 Domain Controller.

In addition please be advised that nothing was initially changed from Domain's Group Policy.
Once the Win 10 Client joined the Domain it would automatically receive this 20 minutes auto-lock.

I searched the internet to locate the correct group policy in order to increase the auto-lock from 20minutes to 60minutes.

I found an article indicating the setting "Interactive logon: Machine Inactivity Limit".
In order to test the setting, I entered 30seconds and I confirmed that the Windows 10 would now lock from 20minutes to about 40seconds.
Following I changed again the setting from 30seconds to 3600seconds (1hour) but unfortunately the auto-lock remains at 40seconds.

Screenshot
I have tried with no luck to:
- gpupdate /force domain controller
- reboot domain controller
- disable "Interactive logon: Machine Inactivity Limit" setting
- reboot Win 10 client

Under Group Policy Objects of the Domain Controller I have two options 1) Default Domain Controllers Policy and 2) Default Domain Policy, which was the one that I changed the "Interactive logon: Machine Inactivity Limit" value.
Should I change it under "Default Domain Controllers Policy" or both?

Are the above the correct settings/steps for globally increasing the auto-lock feature?

What should I do next?
Comment
Watch Question

Orkun NalbantogluIT System specialist

Commented:
Did you gpupdate /force ?

Author

Commented:
Dear Orkun Nalbantoglu,

As I already mentioned both Domain Controller and Client were gpupdated and rebooted but the results are currently 40sec and the relevant policy is disabled from the Domain Controller.

Author

Commented:
I eventually created a separate policy for the "Interactive logon: Machine Inactivity Limit". I also added Screen Saver deny policies as per below screenshot.
On top of that, I "Linked Enforced" subject policy (to avoid blocking it from parent policies)

Screenshot
It seems to work but I will monitor it the following hours.

Anybody knows why it was not accepted under the Default Domain Policy?
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
One should never modify the default domain policy nor the default domain controller policy. I always make a new policy liike you have done that has the changes.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Asked regularly.
Most often, in my opinion, answered by modifying the power settings for the screen. If the screen turns off after 40 seconds, the password will be asked for to wake it up, as well.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You are reflecting computer settings, the screen saver, powermanagement and personal user settings have to be verified.
20 minutes these days is the screen off power setting.
As others pointed out if you have a login required to resume.

Depending on your field, leaving a system unlocked is unwise.
You are sacrificing sevurity, integrity if data for user convenience.

Author

Commented:
Dear All,

Thank you for your comments.

It true that although I have created the above Group Policy, the clients would eventually lock after about 15minutes.

All clients, under Power Settings, have a default “screen off” value at 15minutes.

I increased this value to 1 hour.

BUT I do not understand how-and-if the Group policy is affecting the lock period.

During testing I set under Group Policy (in order to test that I am on the correct setting) the lock out period to 30seconds and indeed the clients would lock after 30seconds although the screen off setting on the clients was 15minutes.
So, in this test Group Policy won.

After increasing the value on the Group Policy
to 3600seconds, clients were ignoring this setting and they were using the local “screen off” value of 15minutes.
So in this test Group Policy was ignored and the local computer setting won.

Currently I have the Group Policy setting to 3600sec and the clients screen off setting to 1 hour and seems to be working.

Q1) Do I actually need to have this Group Policy or should I delete it?

Q2) Is it normal that the Group Policy was not ignored when the value was lower than the local screen off setting but when was higher the local screen off setting was applied?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Both settings lock the screen, there is no hierarchy, nobody is winning, but whatever comes first, counts.
As easy as that.

So screen off after 15 mins will lock the screen after 15 mins unless the inactivity limit is less than 15 mins.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
why do you need an hour of idle time as the duration to keep the system from locking.
The setting require credentials to unlock screen saver is why.

The GPO was not ignored, it did not kick in since the screen was already off.
Here is the issue, the reason for a screen saver, and screen off.
Screen saver is to limit screen burn-in especially when you gave bright white Windows. With newer tft screens with led backlights, it is a bit less compared to older Florecent tubes..

IMHO, 10-20 minute to activate screen saver, 15-30 minutes for the screen off.


You can use GPO to manage both screen saver and require password as well as setup the pergormance, power settings.
Often the power settings are vendor set, preset.

Author

Commented:
Thank you both for your responses.

If I remember well, the screen saver and required password on wake up are turned to off.
Thus the client will switch directly to Windows lock screen and the screen saver will not mediate.

From both replies I also understand that for the screen time out setting there is hierarchy between GPO and Local Client Settings.

In the view of the above I could either set a GPO for the screen time out and delete the current GPO setting or simply adjust
this setting on each client separately.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Certain settings are part of the default domain policy.

Use gpmc on the server to generate results, run it again the workstation and user
You can then look through the details to see what setting comes from where.
Note screen saver settings can be computer wide as well as individualized for users.

The lock ...

Author

Commented:
Thank you for your time and comments.