Recipe 11.5. Enabling Screensaver LockingProblemYou want to enable screensaver locking to prevent an administrator leaving the console of a server unlocked and exposing it to an intruder. SolutionUsing a graphical user interfaceThe following instructions enable screensaver locking for the currently logged on user:
The following instructions enable screensaver locking using group policy:
Using a command-line interfaceThe following commands enable screensaver locking in the default user profile. Any user who logs in after these commands are run will use these settings. Any user who logged in before these commands are run will retain their original settings. The following command configures the blank screensaver: > reg add "\\<ServerName>\HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v SCRNSAVE.EXE /t R EG_SZ /d scrnsave.scr > reg add "\\<ServerName>\HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaveActive/t REG_SZ /d 1 The following command sets the screensaver timeout to 10 minutes (600 seconds): > reg add "\\<ServerName>\HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 600 The following command enables screensaver locking: > reg add "\\<ServerName>\HKEY_USERS\.DEFAULT\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 1 Using VBScript' This code enables screensaver locking for all users that log on ' a system even if they've configured other screensaver settings previously. ' ------ SCRIPT CONFIGURATION ------ strComputer = "." strScreenSaveActive = "1" strScreenSaverIsSecure = "1" strScreenSaveTimeout = "300" strScrnSave = "scrnsave.scr" ' ------ END CONFIGURATION --------- const HKEY_USERS = &H80000003 set objReg=GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv") objReg.EnumKey HKEY_USERS, "", arrSubKeys for each strSubkey in arrSubKeys WScript.Echo strSubkey objReg.EnumValues HKEY_USERS, strSubkey & "\Control Panel\Desktop", _ arrValues, arrTypes if IsArray(arrValues) then WScript.Echo " setting screen saver values" objReg.SetStringValue HKEY_USERS, strSubkey & "\Control Panel\Desktop", _ "ScreenSaveActive", strScreenSaveActive objReg.SetStringValue HKEY_USERS, strSubkey & "\Control Panel\Desktop", _ "ScreenSaverIsSecure", strScreenSaverIsSecure objReg.SetStringValue HKEY_USERS, strSubkey & "\Control Panel\Desktop", _ "ScreenSaveTimeOut", strScreenSaveTimeOut objReg.SetStringValue HKEY_USERS, strSubkey & "\Control Panel\Desktop", _ "SCRNSAVE.EXE", strScrnSave else WScript.Echo " NOT setting screen saver values" end if WScript.Echo next DiscussionIf you want to implement a login script or batch file to enable screensaver locking for the currently logged on user of a system, you need to modify the following registry values: HKEY_CURRENT_USER\Control Panel\Desktop "ScreenSaveActive"="1" "ScreenSaverIsSecure"="1" "ScreenSaveTimeOut"="900" "SCRNSAVE.EXE"="scrnsave.scr" This configures the scrnsave.scr screensaver to turn on after 15 minutes (900 seconds) of inactivity. See AlsoMS KB 281250 (Information About Unlocking a Workstation) |