Group Policy Snafu - Newbie

S

Scott R

Hello,


History:
In my company we've decided to remove the screen saver tab from the general
population due to the fact that our clients were disabling their screen
savers and then of course claiming their machines were not secure.

To this end we placed a group policy assigning a basic screen saver along
with a set time out and locking capability.

We are running W2K-sp2 on our servers and our desktops are running Windows
XP-SP1.

Problem:
The problem is that for some reason only some of the clients are getting
this policy applied on their machines in the form that the screen saver is
not being locked. They are getting the right screen saver and the screen
saver tab is successfully removed. On other machines the policy comes down
with no issues as designed.

Gpresult shows no issues and correct OU and policy are applied but the
screen savers are still not locking after the set time.

Hopefully I painted an accurate picture what is happening or not happening
here. Any comments/suggestions are most welcome and I appreciate you taking
the time to read this thread.

Regards,

Scott R
 
J

Jon Viehe

Do you possibly have a GPO in a lower level that is overriding that option?
You might also check in the event log and see if policies are not being
applied for some reason.
 
S

Scott R

Jon,

Thanks for taking the time to read my thread and replying. I am not seeing
anything in the logs and the other policy (1) does not contain any
conflicting entries.



Scott
 
J

Jr.

I'm trying the same thing with both win2000 and xp
clients....have you found out what was wrong ?
Thanks,
 
D

Diana Smith [MSFT]

Hello,

The best way to troubleshoot this issue is to enable userenv debug logging
on a working client and a non working client and compare the userenv.log
from both.

Here is the article to enable userenv debug logging:
221833 How to Enable User Environment Debug Logging in Retail Builds of
Windows
http://support.microsoft.com/?id=221833

Thank You.

Diana.
 
S

Scott R

Jr,

Not revelations yet... Going to try Diana's recommendation and see what
comes up.

Good Luck - Will advise, please do so likewise.

Scott R
 
S

Scott R

Thank you!

I will try this and get back to you with the results. I appreciate your time
and effort.

SDcott R
 
S

Scott R

Diana,

When I reg into these machines I do see the correct entries where the policy
is being applied. FYI

Key Name:
HKEY_USERS\S-1-5-21-1921271944-1204571097-1775256748-1839\Software\Policies\
Microsoft\Windows\Control Panel\Desktop
Class Name: <NO CLASS>
Last Write Time: 9/25/2003 - 1:26 PM
Value 0
Name: ScreenSaveActive
Type: REG_SZ
Data: 1

Value 1
Name: SCRNSAVE.EXE
Type: REG_SZ
Data: logon.scr

Value 2
Name: ScreenSaverIsSecure
Type: REG_SZ
Data: 1

Value 3
Name: ScreenSaveTimeOut
Type: REG_SZ
Data: 600


Thanks,

Scott R
 
D

Diana Smith [MSFT]

Hello,

Can you email me a copy of the userenv log file?

Thank You.
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
S

Scott R

Diana,

How can determine when the entries are written to this log... can you advise
where I could to understand when the entries are commmited to the doc.

Thanks

Scott R
 
D

Diana Smith [MSFT]

Hello Scott,

Once the registry key has been added, as soon as the user logs on there
should be infomation in the userenv.log.

You can do a search for the username that logged on to the machine.

Diana.
 
S

Scott R

Diana,
Before I entered the following into the registry I already had a userenv.log
on my machine. This entry didn't seem to change anything either way.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"UserEnvDebugLevel"=dword:00004e20

Did I mess it up and also I wonder why the log was already there?

Thanks,

Scott R
 
D

Diana Smith [MSFT]

Hi,

I have not been able to find any documentation on the value [00004e20].


UserEnvDebugLevel can have the following values:

NONE 0x00000000

NORMAL 0x00000001

VERBOSE 0x00000002

LOGFILE 0x00010000

DEBUGGER 0x00020000

The default value is NORMAL|LOGFILE (0x00010001).

We want the value to be 10002 (Hex).

Thank You.

Diana.
 
A

Andy Tumas

Hi Scott,

I am having this same problem. The only solution that I
have found is to turn Active Desktop off. We tested this
on several machines and the screen savers came on after
our set period of time and the machines were locked.
However, I don't know how to solve this problem without
disabling Active Desktop.

Andy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top