Some months ago I published my solution to this problem here.
As a reaction on the post of tfrederick74656 (below) I stated to have a better solution using the Item-level targeting for the Remote desktop.
After I posted this, it worked for one or two days and then did nothing anymore.
After some months of doing other things and wondering what really happens I started all over again.
And this time I really have the solution to the problem!
Goal: All laptops, desktops and servers with lock screen policy, except RDP's.
It is not an item-level-targeting solution anymore, but a script and one setting together in a GPO.
As told on other places there are four settings that you will need:
Enable screen saver
Enabled Password protect the screen saver
Enabled Force specific screen saver
Enabled ScreenSaveTimeOut [time in seconds]
Because I don’t know what setting is responsible for this thing to work, I wanted to get them all in the script. One setting I couldn’t find, so this one is separated from the others: Force specific screensaver. (You don’t have to tell the system what screensaver you will need.)
The other thing we need is a script: LockDesktopAfter3MinutesExceptRDP.PS1
Here’s the GPO:
User configuration - Policies - Administrative Templates - Control Panel - Personalization - Force specific screensaver: Enabled (You don’t have to tell the system what screensaver you will need.)
![Group Policy](https://i.stack.imgur.com/SQTHx.png)
And here’s the script that I added into the GPO:
$File = "c:\temp\sessions.txt"
query session > $File
$text = Get-Content $File
ForEach ($Line in $text)
{
If ($Line -like '*>console*')
{
#console session
Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaveActive -Value 1
Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaverIsSecure -Value 1
Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaveTimeOut -Value 180
}
ElseIf ($Line -like '*>rdp-tcp*')
{
#RDP session
Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaveActive -Value 0
Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaverIsSecure -Value 0
Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaveTimeOut -Value 86400
}
}
# Apply this new policy now (immediately after this registry change)
Start-Sleep -s 10
Start-Process -FilePath "rundll32.exe" -ArgumentList "user32.dll, UpdatePerUserSystemParameters 1, True"
And this is what the script is about:
When you type ‘query session’ in a cmd box, you will get your session and possible other sessions in a few lines. Your own session has a ‘greater-than sign’ at the start of the line.
The powershell script reads this output line by line and checks if ‘>console’ or ‘>rdp-tcp’ is present. Now you know if you are dealing with a remote desktop –desktop or a console-desktop.
You can now change the lock-desktop behavior depending on the situation by changing the registry items.
But this is only half of the solution.
The real problem was that you have to tell the system that you want the result NOW. This is done by running the last line of the script.
I hope this will help you out.
Best Answer
The registry key's value is REG_DWORD type, setting it to "0" will disable the pop-up.
You can set this value in GPO using a logon script or, preferably, Client-Side Preferences. A logon script would look something like:
http://support.microsoft.com/kb/311489
Edit: Here's an ADM that should perform the same function, if you're into that kinda thing.
Per @natxo's comment below, the above will disable the pop-up on a per-user basis. You can use this to target specific user groups/OUs if you want. Should you wish to disable the pop-up on a per-computer (all users) basis, change "HKCU" to "HKLM" in the script or change "USER" to "MACHINE" in the ADM. This is detailed in the Microsoft Support link above.