Discussion:
ScreenSaver timeout problem via GPO
(too old to reply)
scott7
2008-01-07 21:19:02 UTC
Permalink
I have about 4 laptops at my company with special needs. I need the screen
saver to be totally disabled on these 4. They are used for PowerPoint and
special assignments and the screen needs to stay on and never lock. Let me
give you some facts about these laptops so you know the situation.

1. The laptops are joined to a 2003 domain and live in various OUs.
2. There is a GPO at the domain level that activates a screen saver at 15
minutes and requires a password to get back in. This is set in user
configuration, administrative templates, control panel, display, then screen
saver enabled, screen saver password enabled, and timeout enabled 900
seconds. This policy is not enforced so if a lower OU blocks inheritance it
will not run.
3. None of the OUs these laptops live in block inheritance so the domain
policy to enable the screen saver will run.

I tried to create a security group in active directory and a new GPO (using
security filtering to only the new group) with a loopback policy (I’ve tried
replace & merge) changing these screen saver settings. The new GPO was put
at the domain level. It is set up to disable the screen saver under user
configuration. I had to take out authenticated users and put in only the new
group (security filter) so it would not run on the entire domain. I tried to
place the PCs in the group and the GPO won’t run at all. If I put a user in
the group the new GPO will run, but only if I put it in order to run after
the other GPO that turns on the screen saver. With this said I turned off
loopback processing and it would still run if in the correct order. So
making a GPO with loopback in the domain does not seem to work. I have run
gpresult and saw the PCs are in the security group, but the new GPO is not
listed as running. If the user is in the group it runs in the order I set in
GPM for the domain.

Since the first method did not work I decided to try something else. Since
we only have 4 laptops I decided to try and set a local GP on the laptop
itself using loopback processing. I found one of the laptops and logged in
as a local admin. Then I did the start, run, and typed gpedit.msc. I set
the computer configuration, administrative templates, system, group policy
area to use loopback. We want to use merge so domain and OU policies get
combined with my new screen saver policy. On the local laptop I set the
screen saver policy to disabled in the user configuration area. I still had
no luck. I tried loopback with replace and merge, but the domain screen
saver policy still won causing the screen saver to activate at 15 minutes
with a lock.

One more test I tried was to put the laptop in an OU that had blocking
inheritance set up. Since the domain policy for the screen saver activation
and lock was not enforced my laptop local policy worked fine. When in the
blocked OU the domain policy never ran and the laptop used my local policy to
disable the screen saver.

I have searched the web and everything I read about loopback sounds like
what I’m doing should work. Especially when I set the policy on the local PC
I thought the loopback makes my screen saver setting to disable run last and
win.
Jorge Silva
2008-01-07 21:32:24 UTC
Permalink
Hi
When you run rsop.msc can you confirm that the user& computer are getting
the correct GPOs?
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
Marcin
2008-01-08 02:27:40 UTC
Permalink
As per http://support.microsoft.com/kb/231287, you cannot filter the user
settings that are applied by denying or removing the AGP and Read rights
from the computer object specified for the loopback policy.

hth
Marcin
ToChuck123
2008-01-23 01:47:43 UTC
Permalink
Hi scott7.

I have exactly the same sort of issue, and have had both myself and another
network person (including a security instructor), and while we all seem to
have come to the same conclusion that we need loopback processing to make
this sort of thing work, we haven't been able to get it to work.

I'm going to list what I have done (which seems almost the same as you
scott), and I hope that someone will point out the blundering error that we
are missing.

- Like you we have a subset of our machines that we don't want the
screensaver polity to run. Loopback processing seems like that is what it is
designed for.

-Like you, I have my users (and computers) organized into different OUs.

-Like you, I have a screensaver policy that is filtered by security groups.
But since those groups contain pretty much everyone, everyone gets the
screenscaver policy.
Here are the settings:

Administrative Templates
Control Panel/Display
Pollicy Setting
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name scrnsave.scr

Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
Seconds: 900



- I made an "anti-screensaver" policy. For testing purposes, I filtered it
based on my work computer. Its not REALLY "anti-screensaver" right now cause
I'm just trying to make the loopback work and want to see a difference in the
screensavers. So I selected a different screensaver to use. Here are the
settings for that policy:

Administrative Templates
System/Group Policy
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Merge


Administrative Templates
Control Panel/Display
Policy Setting
Password protect the screen saver Disabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name ssstars.scr

Policy Setting
Screen Saver timeout Disabled


- When I run the modeling wizard, I use my active directrory account and my
computer name, and set it to simulate loopback processing with merge (as it
is in the policy). It comes back and says that both policies are being
applied. However, it is the screen saver policy that is "winning". The
"anti" screen saver policy doesn't override it.

I would apprecate feedback from anyone who knows more about this than I do
(which is not loads), as we are desprate to get this to work.

Thanks in advance
Chuck
Post by scott7
I have about 4 laptops at my company with special needs. I need the screen
saver to be totally disabled on these 4. They are used for PowerPoint and
special assignments and the screen needs to stay on and never lock. Let me
give you some facts about these laptops so you know the situation.
vikrant
2008-03-23 06:48:09 UTC
Permalink
give a try to utility "Turn Off Monitor" which has a setting to keep system
actve

http://www.rtsoftwares.com/Turn-Off-Monitor.htm

i hope that might be of some use.

not sure but you may require to run the utility with admin rights
Post by ToChuck123
Hi scott7.
I have exactly the same sort of issue, and have had both myself and another
network person (including a security instructor), and while we all seem to
have come to the same conclusion that we need loopback processing to make
this sort of thing work, we haven't been able to get it to work.
I'm going to list what I have done (which seems almost the same as you
scott), and I hope that someone will point out the blundering error that we
are missing.
- Like you we have a subset of our machines that we don't want the
screensaver polity to run. Loopback processing seems like that is what it is
designed for.
-Like you, I have my users (and computers) organized into different OUs.
-Like you, I have a screensaver policy that is filtered by security groups.
But since those groups contain pretty much everyone, everyone gets the
screenscaver policy.
Administrative Templates
Control Panel/Display
Pollicy Setting
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name scrnsave.scr
Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
Seconds: 900
- I made an "anti-screensaver" policy. For testing purposes, I filtered it
based on my work computer. Its not REALLY "anti-screensaver" right now cause
I'm just trying to make the loopback work and want to see a difference in the
screensavers. So I selected a different screensaver to use. Here are the
Administrative Templates
System/Group Policy
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Merge
Administrative Templates
Control Panel/Display
Policy Setting
Password protect the screen saver Disabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name ssstars.scr
Policy Setting
Screen Saver timeout Disabled
- When I run the modeling wizard, I use my active directrory account and my
computer name, and set it to simulate loopback processing with merge (as it
is in the policy). It comes back and says that both policies are being
applied. However, it is the screen saver policy that is "winning". The
"anti" screen saver policy doesn't override it.
I would apprecate feedback from anyone who knows more about this than I do
(which is not loads), as we are desprate to get this to work.
Thanks in advance
Chuck
Post by scott7
I have about 4 laptops at my company with special needs. I need the screen
saver to be totally disabled on these 4. They are used for PowerPoint and
special assignments and the screen needs to stay on and never lock. Let me
give you some facts about these laptops so you know the situation.
dpark
2008-10-16 12:30:01 UTC
Permalink
Try setting the new policy for the laptops as such:
Number of Seconds to wait to enable the Screen Saver = Enabled at 0 Seconds
Post by scott7
I have about 4 laptops at my company with special needs. I need the screen
saver to be totally disabled on these 4. They are used for PowerPoint and
special assignments and the screen needs to stay on and never lock. Let me
give you some facts about these laptops so you know the situation.
1. The laptops are joined to a 2003 domain and live in various OUs.
2. There is a GPO at the domain level that activates a screen saver at 15
minutes and requires a password to get back in. This is set in user
configuration, administrative templates, control panel, display, then screen
saver enabled, screen saver password enabled, and timeout enabled 900
seconds. This policy is not enforced so if a lower OU blocks inheritance it
will not run.
3. None of the OUs these laptops live in block inheritance so the domain
policy to enable the screen saver will run.
I tried to create a security group in active directory and a new GPO (using
security filtering to only the new group) with a loopback policy (I’ve tried
replace & merge) changing these screen saver settings. The new GPO was put
at the domain level. It is set up to disable the screen saver under user
configuration. I had to take out authenticated users and put in only the new
group (security filter) so it would not run on the entire domain. I tried to
place the PCs in the group and the GPO won’t run at all. If I put a user in
the group the new GPO will run, but only if I put it in order to run after
the other GPO that turns on the screen saver. With this said I turned off
loopback processing and it would still run if in the correct order. So
making a GPO with loopback in the domain does not seem to work. I have run
gpresult and saw the PCs are in the security group, but the new GPO is not
listed as running. If the user is in the group it runs in the order I set in
GPM for the domain.
Since the first method did not work I decided to try something else. Since
we only have 4 laptops I decided to try and set a local GP on the laptop
itself using loopback processing. I found one of the laptops and logged in
as a local admin. Then I did the start, run, and typed gpedit.msc. I set
the computer configuration, administrative templates, system, group policy
area to use loopback. We want to use merge so domain and OU policies get
combined with my new screen saver policy. On the local laptop I set the
screen saver policy to disabled in the user configuration area. I still had
no luck. I tried loopback with replace and merge, but the domain screen
saver policy still won causing the screen saver to activate at 15 minutes
with a lock.
One more test I tried was to put the laptop in an OU that had blocking
inheritance set up. Since the domain policy for the screen saver activation
and lock was not enforced my laptop local policy worked fine. When in the
blocked OU the domain policy never ran and the laptop used my local policy to
disable the screen saver.
I have searched the web and everything I read about loopback sounds like
what I’m doing should work. Especially when I set the policy on the local PC
I thought the loopback makes my screen saver setting to disable run last and
win.
Pam
2009-02-11 19:03:02 UTC
Permalink
I'm not using the loopback, but was trying to implement the whole:

Administrative Templates
Control Panel/Display
Pollicy Setting
Password protect the screen saver Enabled
Screen Saver Enabled
Screen Saver executable name Enabled
Screen Saver executable name scrnsave.scr

Policy Setting
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver
Seconds: 1200

The timeout would work, but the "password protect the screen saver" would
not.

I figured that I had

Administrative Templates
System
Ctrl+Alt+Del Options
Lock Computer: was enabled

As soon as I un-enabled this the users started to receive the logon box to
get back in.
Pam
2009-02-11 19:06:05 UTC
Permalink
Make sure that
Administrative Templates
System
Ctrl+Alt+Del Options
Remove Lock Computer

is not enabled, was stopping the login screen from displaying for users.
David.Elliott
2009-12-15 14:41:01 UTC
Permalink
Scott7, Did you ever get loopback to work or find out why it did not? I have
exact same issue, but did not see a resolution on the forum.
--
David. Elliott
Post by scott7
I have about 4 laptops at my company with special needs. I need the screen
saver to be totally disabled on these 4. They are used for PowerPoint and
special assignments and the screen needs to stay on and never lock. Let me
give you some facts about these laptops so you know the situation.
1. The laptops are joined to a 2003 domain and live in various OUs.
2. There is a GPO at the domain level that activates a screen saver at 15
minutes and requires a password to get back in. This is set in user
configuration, administrative templates, control panel, display, then screen
saver enabled, screen saver password enabled, and timeout enabled 900
seconds. This policy is not enforced so if a lower OU blocks inheritance it
will not run.
3. None of the OUs these laptops live in block inheritance so the domain
policy to enable the screen saver will run.
I tried to create a security group in active directory and a new GPO (using
security filtering to only the new group) with a loopback policy (I’ve tried
replace & merge) changing these screen saver settings. The new GPO was put
at the domain level. It is set up to disable the screen saver under user
configuration. I had to take out authenticated users and put in only the new
group (security filter) so it would not run on the entire domain. I tried to
place the PCs in the group and the GPO won’t run at all. If I put a user in
the group the new GPO will run, but only if I put it in order to run after
the other GPO that turns on the screen saver. With this said I turned off
loopback processing and it would still run if in the correct order. So
making a GPO with loopback in the domain does not seem to work. I have run
gpresult and saw the PCs are in the security group, but the new GPO is not
listed as running. If the user is in the group it runs in the order I set in
GPM for the domain.
Since the first method did not work I decided to try something else. Since
we only have 4 laptops I decided to try and set a local GP on the laptop
itself using loopback processing. I found one of the laptops and logged in
as a local admin. Then I did the start, run, and typed gpedit.msc. I set
the computer configuration, administrative templates, system, group policy
area to use loopback. We want to use merge so domain and OU policies get
combined with my new screen saver policy. On the local laptop I set the
screen saver policy to disabled in the user configuration area. I still had
no luck. I tried loopback with replace and merge, but the domain screen
saver policy still won causing the screen saver to activate at 15 minutes
with a lock.
One more test I tried was to put the laptop in an OU that had blocking
inheritance set up. Since the domain policy for the screen saver activation
and lock was not enforced my laptop local policy worked fine. When in the
blocked OU the domain policy never ran and the laptop used my local policy to
disable the screen saver.
I have searched the web and everything I read about loopback sounds like
what I’m doing should work. Especially when I set the policy on the local PC
I thought the loopback makes my screen saver setting to disable run last and
win.
Loading...