Bypassing the screen saver policy defined by GPOs

Microsoft Group Policy is a great thing, until it gets in your way.  One of these policies is screen saver policy that locks out the workstation after X minutes of  inactivity when someone is logged in. Example: you want to build a new PC for a user, so
you have them log into the new PC back in IS. You walk away for 10 minutes and bang, the screen is locked asking for their password.

Now the policy is there to prevent someone walking up to a workstation and using someone else’s account.  Unfortunately, the life of the IT professional involves having to log in as the user to setup printers, e-mail, favorites, data, etc.  USMT will only go so
far: you can’t setup rules for everything.

There are two ways of handling this situation (actually, there are more, but I will focus on the PC side of things since that’s where you are guarantee to have full control of the environment):

Don’t Sleep 2.0.  This is a freeware program will prevent the screen saver from kicking in.  You can log in as the user and run the program.  As long as the program is running, the computer will not lock.  This is the simplest, easiest way of doing the task without  installing any program or modifying the computer in any way.

The second way is to temporarily blocking the GPO from modifying the Desktop key in HKCU (the user’s registry).

Drill to HKEY_CURRENT_USER\Policies\Microsoft\Windows\Control Panel\Desktop

Right-click on the Desktop key and click on Permissions.  Click on the SYSTEM account. Under the Deny tab, click the boxes Full Control and Read.  Click Apply, then OK. In the right pane, change ScreenSaveActive to 0, ScreenSaverIsSecure to 0 and
ScreenSaveTimeOut to 99999999.  To test this, open a command prompt and type “gpupdate /force”.  If you did this correctly, the values in the right pane should NOT change. If you go back and uncheck the Deny entries and re-run gpupdate, the values should change back to correct values.

Now you can build the computer, have the user log in and keep them logged in to do your work.  You obviously want to do this in a secure area.

Don’t forget to uncheck the Deny entries when you are done.  Personally, I would just use Don’t Sleep 2.0 since it is the least invasive method.

– Soli Deo Gloria