- \n
- How to Enable Lock Screen GPO<\/a>\n
- \n
- Step 1. Determine GPO Location<\/a><\/li>\n\n\n\n
- Step 2. Create a New GPO<\/a><\/li>\n\n\n\n
- Step 3. Apply the Lock Screen GPO<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- How to Verify the Lock Screen GPO is Applied<\/a><\/li>\n\n\n\n
- How to Disable the Lock Screen for specific computers<\/a><\/li>\n<\/ul>\n\n\n\n
How to Enable Lock Screen GPO <\/h2>\n\n\n\n
Step 1. Determine GPO Location <\/h3>\n\n\n\n
The lock screen policy is a computer policy, this means anyone who logs into the computer will get the lock screen policy applied. Later I will show you how to exclude specific computers from the policy. <\/p>\n\n\n\n
It’s best to apply this policy to all computers but there will always be exceptions. I’ve had requests to exclude conference room computers, computers that are used for 24\/7 monitoring, then of course there are always a few users that complain and want it disabled. These requests should all be approved by upper management. <\/p>\n\n\n\n
Depending on your OU structure you could apply the GPO to the root and let the sub OUs inherit the policy or you could apply the policy to specific OUs. <\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/11\/gpo-lock-screen-1.webp\")
<\/figure>\n\n\n\nIn this example, I want the policy to apply to all computers so I’m going to link the GPO to my ADPRO Computers OU. All the sub-OUs will inherit the policy. In step 4, I’ll show you how I exclude specific computers from the policy. <\/p>\n\n\n\n
Step 2: Create a New GPO<\/h3>\n\n\n\n
Do not add these settings to the default domain policy. It is group policy best practice<\/a> to not modify the default domain policy and instead create a new one. <\/p>\n\n\n\n
1. Open the group policy management console<\/p>\n\n\n\n
2. Right Click “Group Policy Objects” and click new<\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/01\/gpo-lock-screen-create-new.webp\")
<\/figure>\n\n\n\nGive the new GPO a name. For example, I named my GPO “Computer – Lock Screen”<\/strong>. <\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/01\/gpo-lock-screen-name.webp\")
<\/figure>\n\n\n\nThe GPO is created but now we need to set the idle timeout settings. <\/p>\n\n\n\n
There is only one group policy setting that needs to be set. It is the “Interactive Logon: Machine inactivity limit<\/strong>” <\/p>\n\n\n\n
Browse to -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options <\/p>\n\n\n\n
![\"Group](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2021\/10\/group-policy-inactivity-limit.png\")
<\/a><\/figure>\n\n\n\nChange the value to whatever you want. I set mine to 900 seconds which is 15 minutes. <\/p>\n\n\n\n
Step 3: Apply the Lock Screen GPO<\/h3>\n\n\n\n
The GPO is created and the policy settings have been enabled. Now you just need to link the GPO to the correct OU. <\/p>\n\n\n\n
Since this is a computer policy you must apply the GPO to an OU that contains computer accounts. If you apply the GPO to an OU with users only the lock screen will not work. <\/p>\n\n\n\n
1. In the group policy management console right-click an OU and select “Link an Existing GPO: <\/p>\n\n\n\n
![\"Link](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2021\/10\/group-policy-locks-screen-link-gpo.png\")
<\/figure>\n\n\n\n2. Select the GPO you created in step 2 and click OK. <\/p>\n\n\n\n
The GPO is now linked. <\/p>\n\n\n\n
The GPO refresh interval is 90 minutes on a computer. So keep in mind it could take up to 90 minutes before this policy gets applied to all computers. You can instantly refresh this by rebooting the computer or running the gpupdate \/force command. <\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/11\/gpo-lock-screen-2.webp\")
<\/figure>\n\n\n\nAbove is a screenshot showing the GPO linked to my ADPRO Computers OU. All of the sub-OUs will inherit this policy. So computers in the Accounting, HR, and IT OU will get the lock screen GPO applied. <\/p>\n\n\n\n
How to Verify the Lock Screen GPO is applied<\/h2>\n\n\n\n
To verify the GPO is applied to a computer you can use the gpresult \/r command<\/a>. You will need to open the Windows command prompt as administrator or it can fail to pull the computer policies. <\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/11\/gpo-lock-screen-3.webp\")
<\/figure>\n\n\n\nYou can see above the “Computer – Lock Screen” GPO is applied to this computer. <\/p>\n\n\n\n
How to Disable the Lock Screen for Specific Computers<\/h2>\n\n\n\n
Let’s say you have the lock screen GPO applied to all computers but now you need to disable it on specific computers. <\/p>\n\n\n\n
There are two options: <\/p>\n\n\n\n
- \n
- Option 1:<\/strong> Move the computers into a new OU and not link the GPO to this OU. This works and I’ve used this method for several clients. <\/li>\n\n\n\n
- Option 2:<\/strong> Create a security group, add the computers, and deny the policy from applying to this group. This is my preferred method as I think it prevents moving computers around between OUs. <\/li>\n<\/ul>\n\n\n\n
I’m going to show you option 2. <\/p>\n\n\n\n
1. Create a security group and add the computers that you want the lock screen policy disabled on. It’s very important to name the group with a descriptive name and use the description box. <\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2021\/10\/group-policy-lock-screen-5.png\")
<\/figure>\n\n\n\n2. Go into the group policy management console, select the GPO click the delegation tab then click Advanced. <\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2021\/10\/group-policy-lock-screen-disable.png\")
3. With the security settings windows open click on Add<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2021\/10\/group-policy-lock-screen-6.png\")
<\/figure>\n\n\n\n4. Add the security group and click ok<\/p>\n\n\n\n
5. Make sure Read is set to “Allow” and Apply group policy is to “Deny”. <\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2021\/10\/group-policy-lock-screen-7.png\")
<\/figure>\n\n\n\nThat should do it. The computers in your deny group will need to be rebooted. <\/p>\n\n\n\n
When you check a computer with the gpresult \/r command the policy will show as denied<\/p>\n\n\n\n
![\"Verify](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2021\/10\/group-policy-lock-screen-disable-verify.png\")
<\/figure>\n\n\n\nTo deny any additional computers all you have to do is add them to the security group. I find this method more convenient than moving computers around to different OUs. <\/p>\n\n\n\n
Recently Modified GPO Report<\/h2>\n\n\n\n
The AD Pro Toolkit includes over 200 Active Directory reports such as All GPOs, recently created or modified GPOs, computer or user settings disabled, and much more. <\/p>\n\n\n\n
Here is an example report of GPOs modified in the last 30 days. <\/p>\n\n\n\n
![\"\"](\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/02\/gpo-lock-screen-report-1a.webp\")
<\/figure>\n\n\n\nDownload a free trial<\/a> and create your own GPO reports. <\/p>\n\n\n\n
Summary<\/h2>\n\n\n\n
Enforcing the lock screen on company computers is a very common requirement. Any company that gets audited will always get asked if this policy is in place, regardless it’s a good policy to have in place. Have fun with those exclusions, ha. <\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, you will learn how to use group policy to create a lock screen policy. In addition, I’ll show you how to disable (exclude) the lock screen policy from specific users and computers. In this example, I’ll create a policy that locks the screen after 15 minutes of activity. You can change the … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":20493,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1833],"tags":[],"_links":{"self":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/20523"}],"collection":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/comments?post=20523"}],"version-history":[{"count":3,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/20523\/revisions"}],"predecessor-version":[{"id":43598,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/20523\/revisions\/43598"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media\/20493"}],"wp:attachment":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media?parent=20523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/categories?post=20523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/tags?post=20523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Option 2:<\/strong> Create a security group, add the computers, and deny the policy from applying to this group. This is my preferred method as I think it prevents moving computers around between OUs. <\/li>\n<\/ul>\n\n\n\n
- Step 2. Create a New GPO<\/a><\/li>\n\n\n\n
- Step 1. Determine GPO Location<\/a><\/li>\n\n\n\n