1

We're having a problem where a subset of PC's lock after 5 minutes, but the GPO for "Interactive logon: Machine inactivity limit" is set to 900 seconds (15 minutes). So far I've tried the following, but nothing has solved it:

Run "gpresult /z > gpresult.txt, searched through for any strings matching Sleep, Timeout or Inactivity, and any Values matching "300" (5 minutes in seconds)

Put the Computer and User Object in a OU with no inheritance, ran gpupdate and removed the local GPO store from %systemroot%\System32\GroupPolicy\DataStore\0\SysVol\CompanyName.com

Set the following settings:

  • Computer COnfiguration > Policies > Administrative Templats > System > Power Management -> Sleep Settings
  • Specify the unattended sleep timeout (on battery) -> 0
  • Specify the unattended sleep timeout (plugged in) -> 0
  • Allow Applications to prevent Automatic sleep (on battery) -> Enabled
  • Allow Applications to prevent Automatic sleep (plugged in) -> Enabled

Creating a new Power Policy based on High Performance with a higher Sleep Timeout and Screen Lock.

Creating a new Policy

User Configuration/Administrative Templates/Control Panel/Personalization/

  • Enable screen saver - Enabled
  • Password protect the screen saver - Enabled
  • Screen saver timeout - Enabled, 900 seconds

Setting the Registry to Enable Unattended Sleep Timeout setting in registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\8EC4B3A5-6868-48c2-BE75-4F3044BE88A7
  • Attribute Value 2
  • Increase Unattended Sleep Timeout to 900+

I'm certain that since putting the objects into a OU with inheritance denied doesn't fix it means that it's either a Registry Setting, or a GPO setting which is not removed by removing the Policy itself from the object.

Plasma
  • 21
  • 2
  • 5
  • Can you create a report from one of the computers by running the `gpresult /h c:\report.html` as administrator and see what you can find in there ? – Swisstone Feb 11 '21 at 17:58

2 Answers2

0

Did you try checking the corresponding Event IDs ?

IDs were posted here: https://stackoverflow.com/questions/11385164/eventviewer-eventid-for-lock-and-unlock

maybe you get more information, what is happening exactly, by the eventlog entries.

(I am new here and can only "answer" and not "comment" - hope, this is ok)

you can also temporarily move one workstation in an OU in the AD, where no GPO is applied to check.

Dave
  • 73
  • 6
  • Hi, thanks for the pointer on the logs, I'll check it out, the Computer and User are already in a OU with no GPO's are applied, which just makes it more problematic to troubleshooting. – Plasma Feb 10 '21 at 14:34
0

If you have mobile windows configured, you're likely pulling in policies that's causing the issue. We had a user that accidentally signed into Windows Mail and the machine was locking up regardless of settings.

collin
  • 1
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/501756) – djdomi Nov 04 '21 at 17:57