Using GPO to lock Windows 7 workstations but is not working for me

Our DC is Windows server 2008 R2 and our workstations in our company are Windows 7. I am trying to set up a GPO that will automatically lock workstations after a predetermined time(no screensaver-just lock them). I have found all sorts of info on the web and on this site on how to do it-and it seems pretty simple. However when I create the GPO and apply it and test, it is not working. Here is what I have done:

I make the changes to the default domain policy at:

User Configuration > Policies > Administrative Templates > Control Panel > Personalization

in the GPO I have enabled the screensaver
in the GPO I have enabled the timeout(set it to 60 seconds)
in the GPO I have enabled the Force Specific Screensaver and set screensaver to:
```
%windir%\system32\rundll32.exe user32.dll,LockWorkStation
```
(also tested this on the command line and it does lock the workstation)
in the GPO I have enabled Password Protect The Screensaver.

I went to a workstation and did a gpupdate /force to refresh the policy and waited the 60 seconds—no dice. Screen did not lock. Same thing after rebooting the computer and after refreshing policy(and rebooting) on a different computer. The GPO is made at the default domain policy level so I know that there should not be any permissions issues or policy override problems. Every computer gets this default domain policy.

Any help solving this issue would be appreciated. I have sorted through the questions on Serverfault and the solutions, but they did not seem to help me.
I don't know why this is not working. It seems like it should be.

thanks

Best Answer

Don't go stuffing everything into the Default Domain Policy (DDP) thinking that gives it special powers. You should only configure the Default Domain Policy GPO to manage the default Account Policies settings, Password Policy, Account Lockout Policy, and Kerberos Policy. (ref https://technet.microsoft.com/en-us/library/hh875588(v=ws.11).aspx especially the heading "Processing GPOs: Precedence") If you make a mistake editing DDP you're in a world of hurt. Much better to have other settings in their own policies so you can unlink them when you have a mistake.

Policies are applied with the following order/precedence:

1) Local machine
2) Site (AD Sites)
3) Domain policy
4) OU

https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/

Remove the screen settings from DDP. If you have other policies in place that also assign a screen saver, you need to remove the screen settings from those policies. Because if any of those policies are linked beneath the domain root, they have a higer order of precedence and those settings win. Finally, make a new policy with screen settings and link it to the root of the domain. Use GPRESULT to see which policies are being applied, and/or RSOP to see which policies the effective screen saver settings are being delivered from. Also keep in mind these are USER based settings, so until someone logs on your policy is not used, and the local machine policy still wins.

Best Answer

Related Solutions

Windows – GPO to lock workstation after it is idle for X minutes without forcing a specific screensaver

Group Policy Objects not applying in order of precedence

Related Topic