In this tutorial, we will see how to enable automatic session locking after an inactivity period by GPO in an Active Directory environment.
This group policy helps increase security, as many users do not lock their session when they leave their workstation.
The settings that we are going to configure apply to Users.
Table of Contents
Enable automatic session locking
From a domain controller, open the Group Policy Management console, right-click 1 on the OU where the policy should be applied and click Create a GPO in this domain, and link it here 2.
Name the strategy 1 and click OK 2.
Now the strategy has been added, right click on it 1 and click on Edit 2.
Go to User Configuration / Policies / Administrative Templates / Control Panel / Personalization to access the settings you want to configure.
Open the Enable screen saver setting and enable 1.
Open the Screen saver timeout setting, enable 1 and configure the duration in seconds 2 of inactivity before locking.
Open the Force a specific screen saver setting, enable 1 and configure the following file: C:\Windows\System32\scrnsave.scr 2.
Open the A password protects the screensaver setting and enable 1.
The settings for automatic session locking are configured.
Strategy Summary:
When users have the policy applied, the session will be automatically locked after 15 minutes of inactivity.
Troubleshooting: Session locks before 15 minutes
While writing this tutorial, I encountered this problem:
On a very small number of users, the session may lock after a shorter time. I haven’t found the cause of this problem. To resolve the issue, I recreated the session on the workstation.
Since I found the solution, this happens when a user has configured a screensaver to a shorter time, this setting remains.
To fix this problem, you need to delete the following value in the registry: ScreenSaveTimeOut which is located at the following location: HKEY_CURRENT_USER\Control Panel\Desktop.
This deletion can be done by group policy: GPO: add a registry key
