True. I was just playing devil's advocate...
-----Original Message----- From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2008 4:20 PM To: NT System Admin Issues Subject: RE: AD GPO to lock screen You could also push out the .scr file via a startup or login script - just pop it in the netlogon share. There are all sorts of things you can do, but this starts straying into the realm of behavioral problems that would then need to be solved by disciplinary action. 'Course, this is also another argument for not allowing users to have admin rights. From Ed Crowley: "There are seldom good technological solutions to behavioral problems." James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services ________________________________________ From: Christopher Boggs [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2008 2:06 PM To: NT System Admin Issues Subject: RE: AD GPO to lock screen Savvy users (with admin rights) will come to realize all they have to do to change the screensaver is replace whatever file you specify in the GPO with whatever file they want.. ☺ ________________________________________ From: Tom Miller [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2008 3:54 PM To: NT System Admin Issues Subject: RE: AD GPO to lock screen Thanks. That what I was thinking. We currently used a forced screen saver so this change will be of no consequence to my user community. >>> "James Winzenz" <[EMAIL PROTECTED]> 10/21/2008 4:48 PM >>> You would actually need to specify the following settings, if you want to a) ensure that a screensaver is specified and b) that it is password protected, forcing the user to unlock their workstation when resuming from the screensaver. All options are under the following: User Configuration | Administrative Templates | Control Panel | Display Screen Saver (enabled turns on screensavers, prevents users from changing) Screen Saver executable name (requires you to specify a standard screensaver that is going to be on all desktops) Password protect the screen saver (to force the user to press Ctr+Alt+Del and unlock their workstation) Screen Saver timeout (how long to wait before the screensaver turns on and therefore locks the workstation) You can get away with not specifying #2, but if a user does not have a screensaver specified and you turn on the other settings, no screensaver will be selected. The best option is to do all of these, but this will kill any users’ special screensavers (prolly a good thing, come to mind . . .) Thanks, James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services ________________________________________ From: Tom Miller [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2008 1:11 PM To: NT System Admin Issues Subject: AD GPO to lock screen Hi Folks, I am looking for the GPO setting to lock the computer so as the user is required to press control-alt-delete to unlock the screen. I see the GPO settings under User | Policies | Admin Templates | Control Panel | Display | Screen saver timeout, but this doesn't look like what I'm looking for. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~