Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / Auto Lock Computer Screen After Inactivity with GPO

March 15, 2024

Auto Lock Computer Screen After Inactivity with GPO

Information security best practices require the computer screen to be locked when the user is inactive (idle) for some time. A Windows user can lock the computer screen themselves (using the Win + L)keyboard shortcut). However, it is better to implement a Group Policy that automatically locks the screen on Windows computers when they are idle and apply it to all machines (users) in the AD domain.

Contents:
  • Configuring Lock Screen Settings in Windows Using Group Policy
  • Enable Password Protected Screensaver to Lock Computer via GPO

Configuring Lock Screen Settings in Windows Using Group Policy

You can enable a computer security policy that requires users to re-authenticate (enter a password) after a specified period of inactivity.

Let’s create and configure a domain Group Policy to manage screen lock options:

  1. Open the Group Policy Management console (gpmc.msc), create a new GPO object (LockScreenPolicy) and link it to the domain root (or to the OU that contains the computers on which you want to implement the lock screen policy);  create new Group policy to lock Windows computer after inactivity
  2. Go to Computer Configuration -> Policies-> Windows Settings -> Security Settings -> Local Policies -> Security Options;
  3. Specify the number of seconds of inactivity to lock the desktop in the Interactive logon: Machine inactivity limit option. For example, to lock the computer after 5 minutes set this to 300;gpo: Interactive logon Machine inactivity limit
  4. To apply new Group Policy settings, restart the computers. Now your computers will lock automatically when no activity is detected.
This policy changes the value of the InactivityTimeoutSecs registry parameter in HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System. The computer desktop will not be locked if the value of this parameter is set to 0.

GPO Security Filtering allows you to specify computers where the screen lock policy should not apply.

  1. Create a NoLockComputers security group in AD and add computer accounts that should not lock their screens;
  2. From the GPMC console, select your policy, select the Delegation tab, and click Advanced;
  3. Add the security group you created and set it to Deny in the Apply group policy permission;exclude certain computers from lock screen policy
  4. Now the screens of the computers in this group will not be locked automatically.

Enable Password Protected Screensaver to Lock Computer via GPO

You can also implement an automatic screen lock policy using Windows screen saver settings. This policy can be applied to users, rather than to computers.

  1. Create a GPO and link it to the OU with user accounts;
  2. Edit the policy and go to User Configuration -> Policies -> Administrative Templates -> Control Panel -> Personalization;
  3. There are several options to manage your screen saver and screen lock settings in this GPO section:
  • Enable screen saver
  • Password protect the screen saver — require a password to unlock a computer;
  • Screen saver timeout – set the period of inactivity (in seconds) before the screen saver is activated and the computer is locked. Set this to 300 to lock the screen automatically after 5 minutes;
  • Force specific screen saver – you may specify a screen saver file. Most often it isscrnsave.scr(Learn more about how to configure screensavers with GPO);
  • Prevent changing screen saver – prevents users from changing screen saver settings. GPO to lock the computer after 5 minutes of idle
  1. Wait for the Group Policy settings to be updated on the clients, or update them manually by using the command gpupdate /force.
  2. After the GPO is applied, the screen saver and screen lock settings are protected from being disabled from the Windows interface, and user sessions will be locked after 5 minutes of inactivity. Computer screen lock settings apply to both user console sessions and RDP sessions on RDS hosts.

To unlock the computer, the user must press Ctrl+Alt+End, click the screen, or press any key (depending on the Windows client version), and enter the password.

If you need to configure different screen lock settings for different user groups, you can use the GPO Security Filtering (as above) or deploy lock screen settings through the registry. For example, office workers should lock their screens after 10 minutes of inactivity, and production or SCADA operators should never be locked.

The settings for the lock screen that are discussed above correspond to the following registry parameters in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop:

  • Password protect the screen saver is a REG_SZ parameter with the name ScreenSaverIsSecure = 1
  • Screen saver timeout is a REG_SZ parameter with the name ScreenSaveTimeout = 300
  • Force specific screen saver is a REG_SZ parameter with the name ScreenSaveActive = 1 and SCRNSAVE.EXE = scrnsave.scr

You can use the GPO to set the registry parameter values to different user groups.

Create a domain security group (grp_not-lock-prod) for which you want to disable the screen lock policy and add users to it. Create the registry parameters described in the GPO section User Configuration -> Preferences -> Windows Settings -> Registry.  Use Item Level Targeting for each registry parameter to specify that the policy should not apply to a specific security group (the user is not a member of the security group grp_not-lock-prod).

How to exclude specific users or computers from an auto-lockig GPO?

You will also have to create 4 additional registry parameters with a value REG_SZ 0, which will forcefully disable screen lock for the grp_not-lock-prod group (otherwise, your GPO won’t overwrite previously set registry values).
1 comment
3
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesWindows 10Windows 11Windows Server 2019
previous post
How to Create and Manage Scheduled Tasks with PowerShell
next post
How to Disable NetBIOS, LLMNR, mDNS Protocols in Windows

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Updating List of Trusted Root Certificates in Windows

March 11, 2024

How to Hide or Show User Accounts from...

July 24, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Troubleshooting: Group Policy (GPO) Not Being Applied to...

March 15, 2024

How to Disable NetBIOS, LLMNR, mDNS Protocols in...

March 20, 2025

Display System Info on Desktop with BGInfo

February 6, 2025

Configuring Password Policy in Active Directory Domain

March 12, 2024

1 comment

dk July 17, 2023 - 5:49 am

Starting with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting Interactive logon: Machine inactivity limit

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Adding Domain Users to the Local Administrators Group in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top