"Lock workstations" after certain idle time. Is it advisable to do it from 'server side' ?

[Marlon Brown]

In my organization I have asked trainers/helpdesk to always advise users to
do CTRL+ALT+DEL and lock workstations when they go away from their
computers.

I have one of our senior managers asking why we don't enforce the "lock
workstations" on our WinXP/Win2000Prof automatically in case users leave
workstations idle for a certain period of time.

My first thought is that enforcing this would cause more support issues;
By the way, do we have a way to do suck 'lock the workstations't via Group
POlicies ? The way I know it can be done is via the Screensaver on the
respective workstations.
Please advise if there is a way to do that from the server side and also if
that's something people are doing out there or is more effective to let
users lock their workstations on their own.

 

[Anthony Yates]

You need to set the User screensaver policy in User Configuration:
Administrative Templates: Control Panel: Display. The benefit of the policy
is that it applies when users walk away and forget, or leave themselves
logged in to allow someone else to use their account.
Anthony

 

[Michael Ellingson]

We've started to do this in our organization.

I created two Organizational Units to separate server users from workstation
users. Then I created two separate group policies to force the screensaver
to lock after a specified amount of time for workstation users and server
users were forced to never lock since they are in a secured environment and
administrators need to be able to walk up and glance at the server status.

Alternatively, you could leave all your users in a single OU, create the
group policy to lock the screensaver, and then deny rights to read the
policy for the server users.

From a political stand-point, if your users are not ready for the change,
prepare for a wailing and gnashing of teeth. We didn't have any policy
(verbal or electronic) in place before we implemented the Group Policy and
there were a lot of unhappy people that they had to unlock their
workstations. That storm blew over pretty quick since it does help security
a great deal.

Another note: In XP, you can lock a workstation by hitting WIN+L.

Good luck!

 

[Ryan Hanisco]

Marlon,

Anthony is correct on the way to set this, but you have more to think about
than just the technical issues... Always let the technology follow the
business needs, never the other way around.

Enforcing this policy is a good idea from a business standpoint as it helps
to mitigate the risk of unauthorized access. Court cases have shown that an
unlocked terminal or even a logon prompt without a warning can be considered
an invitation for use. This opens yourself to legal and personnel problems.

This strongly points at doing this from a centralized point rather than
allowing your users any control over this. You would also be wise to use
the logon message to specify that access is for Authorized Use only in
accordance with your company's AUP -- Some even go as far as to post the
entire AUP on every logon.

While there may be some initial headaches for your helpdesk, they will be
short-lived. This is something that users will see every day and will
quickly disappear as it becomes one of their daily tasks. Spend 5 minutes
creating a PDF with screen shots to send to everyone with a cutover date and
get management buy-in (sounds like you already have that) to draw fire.

 

[Marlon Brown]

You guys are rocking. Thanks for your input.

Marlon,

Anthony is correct on the way to set this, but you have more to think about
than just the technical issues... Always let the technology follow the
business needs, never the other way around.

Enforcing this policy is a good idea from a business standpoint as it helps
to mitigate the risk of unauthorized access. Court cases have shown that an
unlocked terminal or even a logon prompt without a warning can be considered
an invitation for use. This opens yourself to legal and personnel problems.

This strongly points at doing this from a centralized point rather than
allowing your users any control over this. You would also be wise to use
the logon message to specify that access is for Authorized Use only in
accordance with your company's AUP -- Some even go as far as to post the
entire AUP on every logon.

While there may be some initial headaches for your helpdesk, they will be
short-lived. This is something that users will see every day and will
quickly disappear as it becomes one of their daily tasks. Spend 5 minutes
creating a PDF with screen shots to send to everyone with a cutover date and
get management buy-in (sounds like you already have that) to draw fire.

 

[Marlon Brown]

In order to enable the 'lock workstation' screensaver,

On User Configuration\Administrative Templates\Display

Do you have configure
"Screen Saver executable name"
AND
"Password protect the screen saver "

?
Please advise.

 

[ptwilliams]

Yes.

http://www.msresource.net/content/view/18/48/


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


In order to enable the 'lock workstation' screensaver,

On User Configuration\Administrative Templates\Display

Do you have configure
"Screen Saver executable name"
AND
"Password protect the screen saver "

?
Please advise.

 

[Michael Ellingson]

I was able to not configure the "Screen Saver executable name" and it worked
just fine. The workstations would lock and not display a screen saver.
This also left a choice of a screen saver open to each user if they had a
favorite that they wanted to use. I've only enabled "Screen Saver",
"Password protect the screen saver", and "Screen Saver timeout" policies.