Group policy - computer lockout

Question

Group policy - computer lockout

Zitta Stanislav 21

Greetings Windows experts, Im trying to untangle effect of multiple GPO settings setting roughly similar behaviour. Our environment: Windows Serer 2019 DCs Windows 10 1909 Enterprise clients The settings that puzzle me are:
Power Plan
Turn off display after 30 minutes
Screen saver
Screensaver timeout: 3600 seconds
Password protect screensaver: Disabled
Enable Screensaver: True
Local policies/security options
Interactive logon: Machine inactivity limit: 7200 seconds
... to me, it looks like that all three groups (marked as bold) take care of the same settings, however, with different values. What takes precedence, what will be the result of all these 3 group policy settings?
Thank you in advance for the feedback, take care. SZ

Accepted answer

0 additional answers

Your answer

Answer 1

Anonymous

Hi,

The three policies are not for the same setting. But they do have a close connection.

Turn off display: You can specify how long your PC is inactive before all your connected displays turn off. When your display turns off, you would just need to move the mouse, touch the touchpad or touchscreen, click a mouse or touchpad button, or press a key for the display to turn back on. Password not needed .

Screen savertimeout : A screen saver is a moving picture or pattern that displays on the screen(s) of your PC after you have not been active on the PC for specified period of time to wait. It was used to force the computer screen to lock itself after the inactivity time you set . To login ,it requires password or not depends on the Password protect screensaver is Disabled or enabled.

Interactive logon: Machine inactivity limit.(close to screen saver timeout setting)If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine).

For your questions: what will be the result of all these 3 group policy settings
The device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings.
The password is needed for both the 3 situations mentioned above.

Best Regards,

Zitta Stanislav 21 Reputation points

2021-02-05T06:30:07.373+00:00

Hello,

thank you for thorough explanation. The topic is much more clear to me now. However, from what you've written, another question arose. You wrote:

Turn off display:
... password not needed.

For your question:
... The password is needed for both the 3 situations mentioned above.

I understand that in the first part of your post, you've described how the settings behave when configured alone, hence "password not needed" when it comes to "turn off display".

My (hopefully last) question will be: what is the game changer here? What says "hey, we ordinarily don't require password when the displays turn off due to power plan, but we will from now on". What decides about the bold part in the previous sentence?

Thank you for your effort and willingness to help, take care.
SZCZ
Anonymous

2021-02-08T07:07:28.13+00:00

Hi，
It was decided by the policy :Interactive logon :Interactive logon: Machine inactivity limit
Once this policy was defined ,all the following situations ( Machine inactivity limit, screensaver activates or when the display turns off because of power settings) would require a password to back on.
Zitta Stanislav 21 Reputation points

2021-02-10T19:37:26.57+00:00

Hello, all clear now, moreover, I am trying various combinations of the settings in a lab and I am starting to understand. Thank you for pointing me in the right direction, kind sir / kind lady. Have a great day.

Share via

Group policy - computer lockout

0 additional answers

Your answer