Bypassing the screen saver policy defined by GPOs

Microsoft Group Policy is a great thing, until it gets in your way.  One of these policies is screen saver policy that locks out the workstation after X minutes of  inactivity when someone is logged in. Example: you want to build a new PC for a user, so
you have them log into the new PC back in IS. You walk away for 10 minutes and bang, the screen is locked asking for their password.

Now the policy is there to prevent someone walking up to a workstation and using someone else’s account.  Unfortunately, the life of the IT professional involves having to log in as the user to setup printers, e-mail, favorites, data, etc.  USMT will only go so
far: you can’t setup rules for everything.

There are two ways of handling this situation (actually, there are more, but I will focus on the PC side of things since that’s where you are guarantee to have full control of the environment):

Don’t Sleep 2.0.  This is a freeware program will prevent the screen saver from kicking in.  You can log in as the user and run the program.  As long as the program is running, the computer will not lock.  This is the simplest, easiest way of doing the task without  installing any program or modifying the computer in any way.

The second way is to temporarily blocking the GPO from modifying the Desktop key in HKCU (the user’s registry).

Drill to HKEY_CURRENT_USER\Policies\Microsoft\Windows\Control Panel\Desktop

Right-click on the Desktop key and click on Permissions.  Click on the SYSTEM account. Under the Deny tab, click the boxes Full Control and Read.  Click Apply, then OK. In the right pane, change ScreenSaveActive to 0, ScreenSaverIsSecure to 0 and
ScreenSaveTimeOut to 99999999.  To test this, open a command prompt and type “gpupdate /force”.  If you did this correctly, the values in the right pane should NOT change. If you go back and uncheck the Deny entries and re-run gpupdate, the values should change back to correct values.

Now you can build the computer, have the user log in and keep them logged in to do your work.  You obviously want to do this in a secure area.

Don’t forget to uncheck the Deny entries when you are done.  Personally, I would just use Don’t Sleep 2.0 since it is the least invasive method.

– Soli Deo Gloria

4 Replies to “Bypassing the screen saver policy defined by GPOs”

  1. That is great if you have access to the registry or can install software. What about the poor drone who has to live with the stupid policy – every time you turn your head, you have to put in a password. It starts to become muscle memory. Argghh!
    I found an app called Screen Saver Killer on the iOS app store you can use to keep your screen alive. The best part is there is no physical connection so it is undetectable. You just run the app and place your mouse on the screen, when you step away the screen stays unlocked.

  2. Another thing you can do is download a portable app that constantly sends keyboard signals for an unused key, like scroll lock. That should prevent the screensaver from launching everytime you turn your head

  3. I still stand by Don’t Sleep for this issue. It’s now up to version 7.0 after all these years and still works great and is completely portable and freeware.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.