[link470]

So last night I decided I'd enable a Screen Saver lockout policy. All Screen Savers in the building for staff accounts only lock out after 5 minutes. I taught them the Windows Key + L combination for locking their systems last year and you guys as systems engineers as well would know how many people actually do that, I'll give you a hint, it's less than 5

So I enabled the Screen Saver policy. Of course, it's now the next morning, and I've received one complaint. The only complaint was that the office staff didn't want it. What was funny about that was they said "ya we just get up and go to the file room for a second and get some files, go to put my lunch away in the fridge, and then come back, and it's locked and we have to type in our password" as I give them a rather blank look thinking to myself "yes, there lies the vulnerability, that's why it's locked. I'm sorry I took a second out of your day to retype it and secure your system while you left it " Oh well, I bumped it up to 10 minutes for them, we'll see how it goes.

So anyways, what I'm wondering is, well, first off, what are your opinions and successes of the lockout policy? I enabled it first off because of course we have some people called students in the building and as charming as a lot of them are, as a security precaution I prefer the systems with raised privileges, the staff, have a locked system. What are your stories about using the Screen Saver and a wake up password prompt?

Ok, now for the question. The teachers can log into projector laptops, as can the students. Since the GPO is applied to all staff, if the staff log into a laptop, the policy still applies. Now, for PowerPoint and Windows Media Player, that's not a problem, because as far as I know those programs temporarily disable the Screen Saver, but if the teacher has a word document up on the screen or something with notes for the students, or even a youtube clip, the screen saver will activate after 5 minutes. Is there a way to NOT apply the policy IF the teachers are signed into a certain system? I know that might be hard, and I have bad experience with loopback policies screwing things up, but if anyone has similar situations or suggestions that would be totally rad.

Thanks again! Stay cool. It's getting hot out here where I live. Thank God the server room is the coolest place in the building due to AC.

[Michael]

As you have found, enabling the screensaver lockout policy is a good procedure to adhere to, but in reality it can create real problems - especially with interactive whiteboards. If the teacher is using an interactive pen or moving the mouse it's fine, but typically teachers may then leave something on the whiteboard for children to copy (for example). 5 minutes won't be enough and then the screensaver kicks in...

There's no real solution to this, so I have no choice but to set teachers to an hour of lockout. Admin staff are locked out every 30 mins. You need to get the balance right in terms of keeping secure but not annoying your users (very important). It's also important for teachers to know they have higher access rights than children and they have a duty of care to protect data stored on staff common areas.

[DrPerceptron]

You can disable it for certain systems, you'll just have to enable Loopback Merge Mode - we used to have the setup here, however we've just gone back to having a blanket lockout.

If people don't want the lockout, we offer 15, 30 and 60 minute versions of the lockouts, but ultimately, it will remain. New staff appear to just agree with the system and older staff will know why it's in place - data protection apparently isn't something teachers cared about too much...

[link470]

Quote:

Originally Posted by DrPerceptron

If people don't want the lockout, we offer 15, 30 and 60 minute versions of the lockouts, but ultimately, it will remain. New staff appear to just agree with the system and older staff will know why it's in place - data protection apparently isn't something teachers cared about too much...

That's the problem I'm having here and expected. Only a couple complaints so far, but to be expected. I'm trying some things and am going to revert back to no screen saver policy for a couple days while I test some systems. To revert back, I can't just set those policies to Not Defined again can I? Cause won't whatever was applied last stay? Do I need to set them as disabled if I wish to remove it?

[burgemaster]

15min here for 4 years now...

Regular complaints from the science staff that when playing a 30min movie they have to move the mouse once in that time !

The wmp disable screensaver doesnt seem to work here, if it does that would be great !

[DrPerceptron]

I think you can just set them back to not set, It's been a long while since I turned a group policy setting off, so can't remember - usually when it's not configured, it acts in its default state.... which is explained in the explanation of the object.

Can't say I've experienced the WMP disable of screensavers either, would definately be handy to know about though

[maniac]

I think it would be possible to write a VB script which looked at the machine name and altered the appropriate registry settings accordingly. I've not got time to do it, but I'm pretty certain it's achievable.

Mike.

[OutToLunch]

Maybe as an alternative, install one of the 'hot corners' apps on the projector laptops - the little freeware apps that disable the screensaver if the mouse is left in a specific corner of the screen...

Edit - Something like this - http://programsforpeers.googlepages.com/hotcorners