Enforcing lock screen after idle time via GPO

Question

I run a network of computers and I would like enforce a GPO which locks the screen after a predefined idle time. I can't find this setting, I can only find a screen saver idle time setting, how can I get a log-out screen accomplished?

Thanks.

Total agreement with everybody else here-- you're mixing terminology. Do you want to lock the workstation or force the user to logoff? (If you did want forced logoff, which I'd highly recommend against, have a look at: http://support.microsoft.com/kb/314999) — Evan Anderson, Oct 29 '09 at 16:36

score 29 · Answer 1 · answered Dec 08 '15 at 10:05

29

Actually I found (and tested) in Windows Server 2012 R2, under:

Computer Configuration>Policies>Windows Settings>Security Settings>Local
Policies>Security Options>

And open item Interactive logon: Machine inactivity limit

Explanation:

Interactive logon: Machine inactivity limit.

Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.

Default: not enforced.

answered Dec 08 '15 at 10:05

Sam Doxy

446
4
7

1

This works great for Windows 10 clients, but Windows 7 doesn't work with this. :/ – XtraSimplicity Nov 09 '17 at 02:35
compare the results of gpresult /h gpo.htm command result for each Windows version – Sam Doxy Jan 17 '18 at 15:26

score 17 · Accepted Answer · answered Oct 29 '09 at 12:58

17

Well, through Group Policy you can force to lock down a workstation via a password protected screensaver, but not to log it off. The GPO settings for locking down a workstation via screensaver can be found at: Administrative templates\control panel\display\password protect the screen saver and screen saver timeout.

answered Oct 29 '09 at 12:58

Haim Bender

546
1
3
13

To disable this setting through the registry, the path is `HKCU:\software\policies\microsoft\windows\Control Panel\desktop` – Nacht Oct 03 '13 at 06:00
This setting don't exist in windows 2008. Which version are your using? – motobói Jul 18 '14 at 16:22
2

On Windows Server 2008 or above they are: User Configuration > Policies > Administrative Templates > Control Panel > Personalization – CrazyTim Feb 25 '15 at 04:16

score 4 · Answer 3 · edited Oct 07 '14 at 15:18

4

The more direct solution you are likely looking for is located in:

Group Policy Management / Group Policy Editor

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Microsoft Network Server: Amount of idle time required before suspending session.

edited Oct 07 '14 at 15:18

Valentin Bajrami

4,045
1
18
26

answered Oct 13 '12 at 02:06

Briggs

89
1
1

7

The description says that applies to SMB sessions – bradvido Apr 11 '14 at 19:31

score 2 · Answer 4 · answered May 20 '16 at 08:33

For Windows XP, Vista and 7, you only can locked the workstation with the User Configuration > Policies > Administrative Templates > Control Panel > Personalization feature. This GPO feature already apply to the newer operating systems, but some Windows 8.1 and 10 versions are having issues with it. So, for those Windows versions I'd take advantage of the Interactive logon option.

You should be careful when applying both, Screensaver with password and Interactive logon: Machine inactivity limit, as they may come in conflict and lead to unexpected results for Windows 8 and later versions.

Interactive logon: Machine inactivity limit gpo feature only apply to Windows 8 and later versions.

But all depends of your environment and the Windows versions you have deployed in your domain.

score 2 · Answer 5 · edited Nov 09 '17 at 21:58

2

In my french version of W2K8, I have in :

GPO > Strategy > Administration Model > System > Power Management > Screensaver options > Ask for a password when computer wake up

It should do the trick...

PS : the translation of GPO entries is approximative

edited Nov 09 '17 at 21:58

womble

96,255
29
175
230

answered Oct 29 '09 at 09:39

lterrier

41
1

score 0 · Answer 6 · answered Sep 30 '13 at 12:14

0

On Windows Server 2008 these settings can be found in: User Configuration > Policies > Administrative Templates > Control Panel > Personalization

answered Sep 30 '13 at 12:14

ChinaTeacherJohn

1

score 0 · Answer 7 · edited Jun 26 '15 at 16:16

0

Create a new GPO then edit it and go to: Computer Config>Policies>Windows Settings>Security Settings>Local Policies>Security Options and find Interactive logon: Machine inactivity limit. Set that to whatever time you want and it will lock the PC after it hits that timer.

edited Jun 26 '15 at 16:16

sebix

4,313
2
29
47

answered Jun 26 '15 at 14:02

TOVDEW13850

1

I dont see `Interactive logon: Machine inactivity limit` in the list? What version of SBS is this for? – Magic Mick Sep 29 '15 at 10:08

score 0 · Answer 8 · answered Oct 29 '09 at 09:18

0

To force a lock enforce the screen saver with the "require a password..." option. Logging out is a whole different thing. Which are you after?

answered Oct 29 '09 at 09:18

John Gardeniers

27,458
12
55
109

1

Agree that the question mixes terms - though I'll go so far as to recommend a lock vs. log-out or you're going to zap a lot of user work. – Kara Marfia Oct 29 '09 at 12:32

Enforcing lock screen after idle time via GPO

8 Answers8

Linked