Lock Domain Computers with Screensaver using GPO

In this article, you’ll learn how to lock domain computers with a screensaver using group policy (GPO). Using a GPO, you can lock computers after a specific interval of time or after a specific duration of inactivity on the computer and force a screensaver.

Before leaving their desks, employees in most companies are instructed to lock their computers in order to prevent unauthorized access. This is due to the fact that if the computer was not locked, unauthorized users could use it. If the employees forget to lock their computers, the system administrator can enforce a GPO to lock the computers automatically.

Most organizations prefer to use a branded screen saver that displays their company logo along with company information. However, it is possible that some companies do not have their own unique screensaver. If this is the case, you can make use of the screensavers that come pre-installed with the Windows operating system.

In this article, we will demonstrate how a GPO can help you lock computers in a domain and activate a screensaver after a specified amount of time. We will configure it so that after the computer’s inactivity timeout, it will be locked and the screen saver will appear.

Before you read further, take a look at some useful guides related to Group Policy:

Screensavers for Domain Computers

The Microsoft Server operating systems come preinstalled with a few fundamental screensavers that cannot be customized but can be used with a Group Policy Object (GPO). If your company has a branded screensaver, you can use it and assign it to your domain computers.

It is important to keep in mind that the screensaver will not activate unless the computer has been inactive for a predetermined amount of time. This is also known as system idle timeout, the duration for which the computer remains idle. You can increase the idle timeout before the lock screen appears or the computer goes to sleep.

In this article, we will choose a preinstalled screensaver from Windows Server and apply it to our domain computers. The screensaver GPO will do the trick. On the Windows Server, the screensavers are located in C:\Windows\WinSxS folder. Navigate to this folder path to access all the preinstalled screensavers. If you have trouble finding them, use the search box to locate the files with the .scr extension.

Select Screensaver to Lock Computers in a domain using GPO
Select Screensaver to Lock Computers in a domain using GPO

Once you have finalized the screensaver, copy the screensaver file to a shared folder or a folder path that is accessible to domain computers. This is important because the clients will pick up the screen saver from this location, as defined in the screensaver GPO.

Select Screensaver to Lock Computers in a domain using GPO
Select Screensaver to Lock Computers in a domain using GPO

Lock Domain Computers with Screensaver using GPO

We will now go through the steps to lock domain computers and apply a screensaver using group policy. You can create the GPO on a domain controller or a computer installed with GPMC.

  • Launch the Group Policy Management console.
  • Right-click the domain and click on Create a GPO in this domain and link it here.
  • Specify the GPO name, such as Screensaver Policy, and click OK.
Lock Domain Computers with Screensaver using GPO
Lock Domain Computers with Screensaver using GPO

Right-click the Screen saver policy and select Edit. The Group Policy Management Editor launches now. In the GPMC editor, navigate to the following path: User Configuration > Policies > Administrative Templates > Control Panel and choose the Personalization folder. This is the place where all the GPO related to screensavers are located.

GPO to Lock Domain Computers with Screensaver
GPO to Lock Domain Computers with Screensaver

Configure Screen Saver Timeout

The first group policy setting that we configure is the screen saver timeout. This policy specifies how much user idle time must elapse before the screen saver is launched. The idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If you set the value 0, the screen saver will not start.

To configure this setting, right-click Screen saver timeout policy setting and select Edit. To enable this policy, select Enabled. Specify the number of seconds to wait to enable the screen saver. In the screenshot below, we have set the idle time of 60 seconds to display the screen saver. Click Apply and OK.

Configure Screen Saver Timeout - Lock Domain Computers
Configure Screen Saver Timeout – Lock Domain Computers

Force Specific Screen Saver

The next policy that will be configured is “Force Specific Screen Saver“. This policy specifies the screen saver for the user’s desktop. To enable this setting, right-click the Force Specific Screen Saver setting and select Edit. Enable this policy and specify the name of the file that contains the screen saver. You must specify the folder path where you have placed the screensaver. Click Apply and OK.

Force Specific Screen Saver - Lock Domain Computers
Force Specific Screen Saver – Lock Domain Computers

Enable Screen Saver for Domain Computers

After you have specified the screen saver location in the above step, the next policy setting thing that you must configure is “Enable Screen Saver” for your domain computers. Before you enable this setting, you must specify the screen saver executable path and screen saver timeout. Enabling the policy will turn the screen saver on domain computers and applies the screen saver from the specified location.

Double-click the setting “Enable Screen saver“, and select Enabled. This setting enables the screen saver on AD domain computers.

Enable Screen Saver for Domain Computers
Enable Screen Saver for Domain Computers

Configure Password Protect the screen saver

To protect your screensaver with a password, you can configure the policy “Password protect the screen saver“. Double-click the setting Password protect the screen saver and select Enabled. This setting will make all the screen savers password protected. Using this policy we enable password protection on screen saver. Therefore, ensure you have enabled the policy setting Enable screen saver and Screen saver timeout. Click Apply and OK.

Lock Computers In Domain Via Group Policy-Snap6
Password Protect the screen saver

End User Experience: Lock Domain Computers with Screensaver

After the group policy has been applied to the domain computers, it’s time to update the group policy on the client computers and check to see if the screensaver is displayed after idle timeout. You can use multiple ways to perform the group policy update on remote computers. On a test client machine, you can manually perform the group policy update by running the gpupdate /force command.

Finally, after exactly 60 seconds (Screen saver time out) the screen saver is enabled and the computer is locked.

39 Comments

  1. I used this blog to setup a GPO Lock Screen in AD. It seems to work on most computers, but not all. Windows 2012 R2. When I right click the policy, Enabled is checked. Should I check Enforce too? What else could be the issue. Thank you!

  2. Hi Prajwal,

    Can we do this using sccm by creating a configuration item and baseline

  3. Avatar photo debdas sardar says:

    Personalization not found in GPO 2008r2

  4. I am using windows server 2008 R2 standard. i have done all of the above and it did not work.
    i have also run gpupdate /force and gpresult /r on the client. The policy is listed but it did not lock after 60secs.
    Pls assist.

  5. These instructions are out of date and do not work in Server 2012 R2 environments. The descriptions for many of the above settings in fact begin with “This setting is obselete and will not be available in the future (not reflected in your screenshots above). Use such_and_such policy instead.” Unfortunately the referenced policies have a different purpose and cannot be used to lock the screen after X minutes of inactivity. Can you provide updated instructions applicable to Server 2012 R2 / 2016 with Windows 7 & 10 clients to accomplish the same? Thanks.

  6. Hi There, is it also possible to combine two jpg files into one and use it as a screen saver. Thanks

  7. Avatar photo Nazir Shah says:

    Your posts are always awesome..Here is my case
    I have applied the policy successfully. Screen saver starts after 4 mins. but I don’t want the screen lock at the same time. I removed “require a password to unlock” in order to leave it on and I enabled “Interactive logon: Machine inactivity limit”. to 10 mins

    Now screen saver is working but it never locks the computer.

    I need it to start the screen saver after 4 mins and if user touches the mouse or keyboard til 10 min it should not ask for password but if he touches after 10 mins it should ask for password.

    Any help from would be appreciated.
    Looking forward to hearing from you..

  8. Avatar photo Amol bagal says:

    I have lab of 50 machine I want to lock the screen of all 50 machine during the theory session and again unlock the same during the practical session. the theory and practical session goes on simultaneously

  9. Avatar photo Nick Cappello says:

    Prajwal, I love the ease in the way you did this, but is there a way to also lock the users out from being able to set their own timeouts via GPO?

  10. Hi Prajwal… Can you tell me if this would also apply to Windows 10 or is there a different method for doing the same thing?

  11. You could create a GPO and configure the settings to lock computers. Apply this GPO to specific OU’s. You could exclude them from OU (computers) where you don’t want this policy to be applied.

    1. I tried this but the lock computers settings are part of the user configuration and not within computer configuration.
      So, we have this GPO that is applied to our domain with security filtering of authenticated users. I have added computers that do not need the lock policy to an OU and have also enabled this GPO on this OU but i have enabled loop back processing with merge mode enabled. I am hoping that this works in excluding these computers. is this the right approach?

  12. Hi Prajwal, this is working as you have described above. However, we have a need to disable this screen lock feature on a few selected PC’s in our environment. How can we accomplish this using this GPO. thanks for your help.

  13. Hi Prajwal, I have set this up as you have shown in your post above, and its working as configured. However, we have a need for a few computers to not exhibit this screensaver locking feature. What changes do i need to make in order to make sure that these set of computers do not lock every 30 minutes. Please advise. Your input is much appreciated. Thanks again.

  14. I have an AD policy to lock the screen on a workstation and when it invokes rundll32 user32.dll,LockWorkstation there is a ding or windows startup like sound (Windows 7) when the screen locks. Is there anyway thru policy to turn off just that sound?

    1. Hi John, those are the sounds defined by Microsoft when an event happens, they differ on the Themes that you install . Those settings can be found under Control Panel > Sound. I am not aware of any policy that can disable this setting on group of computers.

  15. I have an AD policy to lock the screen on a workstation and when it invokes rundll32 user32.dll,LockWorkstation there is a ding or windows startup like sound (Windows 7) when the screen locks. Is there anyway thru policy to turn off just that sound?

  16. Avatar photo Daniel Nitecki says:

    Thanks for the info, your site is very helpful.
    However, you should really look in to however you’re monetizing as the vast majority of the ads I’m getting are spammy, at best – Lots of fake “Update Required” type stuff…

    1. @Daniel – The ads are bidvertiser ads and I have checked with them on this and they have confirmed that ads are harmless.

  17. Avatar photo Jerry Cabrera says:

    Having a similar issue to Shy, where as we have set GP to 130 minutes but it locks after 2 minutes of inactivity.

    1. Avatar photo Léon Lamothe says:

      the setting is in seconds… 130 seconds = 2 minutes

  18. Dear Prajwal i configured like this but my all users pcs are locking after 30 second and i set the timing of 120 second. i restarted the server and user pc also but still same problem
    now i remove all the configuration but still pcs are locking after 30 second please help me
    i am waiting for your reply please reply me ASAP.

    Thanks in advance

    1. Avatar photo Jerry Cabrera says:

      I am having a similar issue, I have ours set to 130 minutes but it locks after 2 minutes of inactivity. were you able to find any answers?

  19. Can we do deploy screen saver through SCCM.

  20. Thanks PD.

    i am trying to apply on a computer OU..specific computer. it is not getting applied.

    Any suggestion.

    1. Have you checked if the group policy is applied to client machine ? Check RSOP on client machine (rsop.msc)

      1. RSOP shows 1620 Seconds but system gets locked in 2 min

    2. If you’re applying user settings to a computer OU, you’ll need to enable group policy loopback processing

  21. Thanks for the directions, they worked great!

    Is there a way to have this overwrite a computer that previously had a lockout time? For example, mine was previously set to 1 minute which still locks out at 1 minute even though the GPO changed the setting to 5 minutes.

    1. If the screensaver is not getting applied as per the policy, do a gpupdate /force or restart the machine. If the issue still persists then unjoin the computer from the domain and join it back.

  22. Avatar photo SUSHIL KUMAR says:

    Thanks a lot this suggestion.

    i need one help more and that is how to give printer to all user from server. I mean when user login they get the printer which is instaled in server.

    Thanks.

    1. Do you mean to say that you want the printer to be listed in active directory ? What is your current environment ?

  23. Avatar photo Anil yadav says:

    Hi Prajwal,

    Really helpfull to me and many thanks for your support and contribution.

    THNKS ONCE AGAIN.

  24. Thank you..I’m new to server and AD..Started learning SCCM..I’m impressed with your dedication,knowledge and contribution to people.

Leave a Reply

Your email address will not be published. Required fields are marked *