Due to security compliancy a customer recently asked me to apply a setting that would force a screensaver after an idle time of 20 minutes. At the same time, employees should be able to change the time out value to anything between 1 and 20 minutes.
Group Policies / GPO’s do not provide this functionality, and since the customer does not use any additional tooling, it had to be done with some custom script (see below).
Screensaver settings are saved in the registry (HKEY_CURRENT_USER\Control Panel\Desktop). Changing values at logon therefor looked like the easiest solution. However, since changes to the registry are not applied realtime to the current user session, users had to log off and on again to activate the new settings.
To solve this, I had to use the following command: rundll32.exe user32.dll, UpdatePerUserSystemParameters
This command does the same as clicking the “OK” button in the Screensaver window. Changes made in the registry are then immediately applied in the same Windows session. Neat!
All but one of the desired functionality was now accomplished. The last step was to force the timeout value to be between 1 and 20 minutes. With Powershell, this can be done quite easily: check if the current timeout is between 1-20. If so, do nothing. If not, reset the value to 20. In this way, users who set their timeout value to 10 minutes will not be bothered.
One drawback is that users can still adjust the timeout value when they’re logged on to Windows. Screensaver settings are user settings after all. However, users will learn fast if you schedule the script for every hour. 🙂 🙂
Here’s the powershell script for anyone who’s interested. If you have comments or questions, feel free to reply!
#Values to customize $ScreenSaveActive = 1 #set to 1 if you want the screensaver enabled, 0 to disable $TimeOutValue = 1200 # number of idle seconds before screensaver gets active $ScreenSaverFile = "C:\Windows\system32\scrnsave.scr" # full path to screensaver file $ScreenSaverIsSecure = 1 # set to 1 if you need a password to get out of screensaver, a.k.a. unlocking the pc #If the screensaver is not compliant with $ScreenSaveActie, we reset it to the preferred value if((Get-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaveActive").ScreenSaveActive -ne $ScreenSaveActive) { Set-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaveActive" -Value $ScreenSaveActive } #If user set screensaver timeout to a value larger than 1200 seconds (20 minutes), we set the value back to 1200 seconds [int]$Current_TimeOutValue = (Get-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaveTimeOut").ScreenSaveTimeOut if($Current_TimeOutValue -eq 0 -OR $Current_TimeOutValue -gt 1200) { Set-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaveTimeOut" -value 1200 } #If no screensaver file is set or if the path doesn't exist anymore, we set it to the blank screensaver $Current_ScreenSaverFile = (Get-ItemProperty -Path "hkcu:control panel\desktop" -Name "SCRNSAVE.EXE")."SCRNSAVE.EXE" if($Current_ScreenSaverFile -eq "" -OR (Test-Path $Current_ScreenSaverFile) -eq $false) { Set-ItemProperty -Path "hkcu:control panel\desktop" -Name "SCRNSAVE.EXE" -Value $ScreenSaverFile } #If the screensaver "lock" is not compliant with $ScreenSaverIsSecure, we reset it to the preferred value if((Get-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaverIsSecure").ScreenSaverIsSecure -ne $ScreenSaverIsSecure) { Set-ItemProperty -Path "hkcu:control panel\desktop" -Name "ScreenSaverIsSecure" -Value $ScreenSaverIsSecure } #Before our changes become active in the current Windows session, we need to run the following command more than 3 times for ($i=1; $i -le 4; $i++) { rundll32.exe user32.dll, UpdatePerUserSystemParameters }
This is great script i was looking for. Thanks for sharing.
I have applied this script in two of my forests, however in one of my Domain Powershell is restricted to run as per security concern and i am unable to run this as i think that it will not work since powershell script is in restricted mode.
Do you have any script that works the same but in VB so that it can be applied thru GPO?
Or please suggest if there is a workaround so that we can still run powershell script without overriding security.
You could try to sign the Powershell script with your PKI. As long as the PKI is trusted at your client, the script will run (RemoteSigned)
Nice code, but I feel a little error in the “1200 minutes”
I think it’s in Seconds, no ?
cheers, E.R.
Yes, 1200 is in seconds. Thanks for noting that! I’ll update the comment in the script! 🙂
Wow, amazing… thank you!
I’ve tried the script and it doesn’t seem to work, the script get through all steps correctly but then when I go in settings, nothing changed.. if I set it to 1 hour in settings and run the script (nothing changed, it will set it to 20 minutes) it will remain at 1 hour in settings even if I close Settings and re-open it 5minutes later.