How to circumvent or alter screen timeout group policy when not on the domain?
Solution 1
I've been able to demonstrate to myself that the presentationsettings tool that I originally suggested does "respect" the Group Policy settings that prevent a user from changing their screen saver. I wasn't aware of this behavior but it certainly makes sense, given that users would just use this tool to exempt themselves from screen savers when nothing presentation-related was happening.
As @HopelessN00b mentions you may want to change the Group Policy, as it applies to the "remote" laptop computers. You'll need to invoke Loopback Policy Processing because screensaver settings are per-user, not per-computer. Loopback Policy Processing allows you to apply user settings to a computer irrespective of the user who as logged-on.
The feature is, unfortunately, confusing to a lot of people. It has a couple of different "modes" (Merge versus Replace) that make it even more confusing. For your application, you could create an link a GPO to a hyopthetical "Remote Laptop Comptuers" OU that enables Loopback Policy Processing in "Merge" mode in its "Computer Configuration" section and, in its "User Configuration" section, sets the screensaver properties to whatever you'd like. When next those machines are rebooted (because the switch from non-Loopback to Loopback requires a reboot-- background policy refresh won't enable it) you'll see the machines begin to pick up the screensaver settings from this new GPO.
Short of writing some kind of hackish client-side service program to reach into the user's registry and toggle the Group Policy screen saver restriction value (since the user can't do it themselves because of registry permissions) I think you're stuck in a situation where you're going to have to choose the lesser of the evils and either disable screen saver restrictions for users on the laptop computers, use some third-party "mouse jiggler" or keyboard simulation software, or just tell the users to live with it.
Edit:
There any number of third-party programs that can do what you're looking for, but there's a certain "elegance" to doing things with only built-in OS components.
Here's a little VBScript program, suitable for execution by wscript.exe (meaning that you could deploy this w/ Group Policy Preferences directly into the computer's "Startup" folder) that should do what you're looking for, assuming that your domain's DNS name isn't able to be resolved externally to your network. (If it is able to be resolved externally then, frankly, you get what you deserve.)
This script sits in a polling loop, using nslookup to resolve the domain named in the USERDNSDOMAIN environment variable. It polls every 10 seconds, but you can modify that by altering the Const POLL_DELAY line. (The strange gyration of executing itself again is necessary because, if executed only by wscript.exe, a window will briefly appear on each polling interval-- not a good thing at all.)
When the domain name doesn't resolve the "F15" key is "pressed", causing enough activity that Windows will not activate the screensaver.
This script was tested on Windows 8.1 x64 logged-on with a domain user who had a Group Policy Object applying to them that included the Administrative Template settings:
- Enable screen saver - Enabled
- Prevent changing desktop background - Enabled
- Prevent changing screen saver - Enabled
- Password protect the screen saver - Enabled
- Screen saver timeout - Enabled - 30 seconds
- Force specific screen saver - Enabled -
scrnsave.scr
My test methodology was as follows:
- Place the program, named
ss.vbs, into the computer's "Startup" folder - Logon to the computer as a user with the above Group Policy settings applied
- Verify that the screen saver starts after 30 seconds of inactivity
- Unlock the machine
- Disconnect the computer's network interface card
- Verify that the screen saver does not start after several minutes of inactivity
- Reconnect the computer's network interface card
- Verify that the screen saver starts after 30 seconds of inactivity
- Logoff to verify that the script doesn't "hang" or otherwise disturb the logoff process
On a Windows 8.1 x64 machine the script is doing exactly what I want.
Option Explicit
' Delay, in seconds, between attempts to resolve the domain name
' and pressing the "F15" key.
Const POLL_DELAY = 10
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")
Dim objExec
Dim intFound
If UCase(Right(WScript.Fullname, 11)) = "WSCRIPT.EXE" Then
While 1
intFound = objShell.Run("cscript.exe """ & WScript.ScriptFullName & """", 0, True)
If intFound = 255 Then objShell.SendKeys("{F15}")
WScript.Sleep(POLL_DELAY * 1000)
Wend
Else
Set objExec = objShell.Exec("nslookup " & objShell.ExpandEnvironmentStrings("%USERDNSDOMAIN%"))
While Not objExec.StdOut.AtEndOfStream
If Left(objExec.StdOut.ReadLine, 5) = "Name:" Then WScript.Quit(0)
Wend
WScript.Quit(255)
End If
Solution 2
The typical way of handling this is a separate set of policy for users or machines defined as "remote" workers. We, for example, have an OU named Remote Laptop Users which allows those user more control over display and power settings, for exactly this reason. (You can also use WMI filtering or security filtering to achieve the same results, if you don't want to, or can't change the OUs these objects are in).
If you can get your users to use the presentation settings tool suggested by Evan Anderson, that's great, but my experience is that the users who complain about this type of thing are also the ones who won't lift a finger to fix the problem, and expect IT to fix it for them, so you may end up having to fix it for them, with a different GPO.
Related videos on Youtube
06 : 51
20 : 19
04 : 30
05 : 42
02 : 25
Joe B
Updated on September 18, 2022Comments
-
Joe B over 1 year
I've been asked to look into a solution for our remote laptop users who are trying to give presentations in Powerpoint and Excel when at customer sites. We are running a Server 2008 /Win 7 environment. We have a group policy that locks everyone's PC after 5 minutes of inactivity and requires a password to log back in. I've been asked if I can change this setting for users on laptops when they log in but are not locally on the domain. They would like to be able to adjust it so that the screen does not lock when they are giving presentations in PP, word, or Excel. As far as I know powerpoint diables the screensaver while in full screen mode, but I'm not sure how to achieve this with the other programs. I've tried looking at presentation mode on the laptops, but because of group policy the setting to "disable screen saver" is greyed out. Any ideas? Thanks.
-
Nathan C over 10 yearsStarring this because I have the same issue...curious to see solutions. -
Zoredache over 10 yearsI had a troubling situation, and I installed and used Caffeine. zhornsoftware.co.uk/caffeine/index.html
-
Spence over 10 years@Zoredache - I love it! I wish it could make the mouse pointer shake, though.
-
Joe B over 10 years@Evan ...my sentence is complete. Read it. I CAN turn presentation mode on and off, but in the SETTINGS for presentation mode the option to disbale the screensaver is greyed out and can't be checked because of our group policy. All of this was explained in the original question.
-
Spence over 10 years@JoeB - You're getting defensive rather needlessly. I'm certainly sorry that I parsed your sentence poorly.
-
Joe B over 10 years@Evan Anderson, I'm sorry you feel that way but I was simply pointing out the obvious. You've replied to every chain of replies in this post, and have either been completely off-base or have provided nothing of value. It's pretty obvious you are out of your depth, as we are far past the rudimentary steps you have suggested ...when you are actually suggesting something. I take the time to type out the question, you take the time to type out an answer. That's how this works. It's not I take the time to type a question and then re-explain it to you at your leisure.
-
Spence over 10 years@JoeB - It's everything I can do to remain professional in this discourse. I'll try not to lower myself to your level. I "know how this works". I've answered over 2,400 questions on Server Fault in the last 4.5 years. As for being "out of my depth" I suspect you've created a number of guffaws from other members of this site. Your assessment of my skills is immaterial to me. My history of answers speaks for itself. I hope my answer is useful to you. If it isn't hopefully it will be to someone else who comes along in the future. (Perhaps someone who acts a bit less indignant and entitled.)
-
-
HopelessN00b over 10 years@EvanAnderson Yeah, not applicable in my experiences. Laptops generally aren't shared resources (in my experience), so it's the same user on it all the time. Unless they want to issue shared laptops for presentation purposes, or whatever. I've only had to use loopback processing on shared workstations that stayed in the same physical location... like a computer terminal on a production line. In any event, I'd upvote your edited answer if I hadn't already upvoted the unedited one. :)
-
Spence over 10 yearsIt's not the shared resource that I'm worried about, so much as not tying the screensaver being disabled to the user. That way if they move to a desktop they get the appropriate screensaver policy w/o having to require some provisioning changes to their user account.
-
Joe B over 10 yearsThanks for the reply. Like I said presentation mode can be turned on and off, but the setting for disbaling the screensaver is greyed and can't be checked because of group policy. They want these users PC's to still lock after 5 min of inactivity, except when they are doing presentations. Is that even possible? I wouldn't want to permanently change their screensaver settings, because they have sensitive data on them and must lock in the event that it's lost or stolen.
-
Joe B over 10 yearsThanks for the reply. I could get them to use presentation settings but the problem is the option to disable the screensaver is greyed because of group policy.
-
HopelessN00b over 10 years@JoeB It sounds like the far superior solution is to issue "presentation laptops" that don't contain sensitive data, rather than dancing around the issue of having sensitive data on laptops that you then take out and show off to the world. And in this instance, you'd a) want to use the loopback processing and b) not want to rely on a screensaver to protect sensitive information. Encryption, or it doesn't matter. I can read the data of a hard drive on a stolen laptop just fine, regardless of what screensaver settings you have applied via GPO.
-
Spence over 10 years@JoeB: How will the computer know it's giving a presentation if you don't put it into presentation mode? You seem to be talking around the issue at the root of it. PowerPoint notifies Windows that a presentation is occurring, Excel and Word do not. Give the user icons to toggle presentation mode when they're giving presentations and the screensaver won't kick-in. This circumvents the need for the user to be modifying the screensaver settings which, as you're seeing, is prevented when a Group Policy Object applies screensaver settings. What am I missing?
-
Joe B over 10 yearsYes they are whole disk encrypted. =)
-
Joe B over 10 years@Evan The problem is when I turn presentation mode on, it still goes to screen saver for Word and Excel. Full screen mode or not. I suspect this is due to our group policy, since in presentation mode setting the "disable screensaver" box is greyed out and can't be checked.
-
Joe B over 10 years@Evan Anderson Big help ...thanks for the comment.
-
HopelessN00b over 10 years@JoeB If you have whole disk encryption, it seems to me like a better strategy would be to control hibernation via GPO, rather than screen savers. Close lid, hibernate laptop. Unless, somehow, your users have managed to find a way to get their laptops lost/stolen without closing the lid... in which case, you may just need to find smarter employees. But if you can control the hibernation settings, and protect data that way, it seems like you could ease out on the screen-saver timeout settings a bit (15 or 30 mins, for example) to accommodate presentation use, without compromising security.
