GPO to Disable Screensaver only when connected via RDP

Is there a GPO option to disable the idle-time screensaver for RDP connections, but keep the idle-time screensaver options for interactive logins?

Edit: All users are TS users as well a local so they are in the same OU. We need the screensaver 'disabled' when they RDP.


Solution 1:

Some months ago I published my solution to this problem here. As a reaction on the post of tfrederick74656 (below) I stated to have a better solution using the Item-level targeting for the Remote desktop.

After I posted this, it worked for one or two days and then did nothing anymore. After some months of doing other things and wondering what really happens I started all over again. And this time I really have the solution to the problem!

Goal: All laptops, desktops and servers with lock screen policy, except RDP's.

It is not an item-level-targeting solution anymore, but a script and one setting together in a GPO. As told on other places there are four settings that you will need:

  • Enable screen saver

  • Enabled Password protect the screen saver

  • Enabled Force specific screen saver

  • Enabled ScreenSaveTimeOut [time in seconds]

Because I don’t know what setting is responsible for this thing to work, I wanted to get them all in the script. One setting I couldn’t find, so this one is separated from the others: Force specific screensaver. (You don’t have to tell the system what screensaver you will need.) The other thing we need is a script: LockDesktopAfter3MinutesExceptRDP.PS1

Here’s the GPO: User configuration - Policies - Administrative Templates - Control Panel - Personalization - Force specific screensaver: Enabled (You don’t have to tell the system what screensaver you will need.)

Group Policy

And here’s the script that I added into the GPO:

$File = "c:\temp\sessions.txt"
query session > $File
$text = Get-Content $File
ForEach ($Line in $text)
{
If ($Line -like '*>console*')
    {
    #console session
    Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaveActive -Value 1
    Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaverIsSecure -Value 1
    Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaveTimeOut -Value 180
    }
ElseIf ($Line -like '*>rdp-tcp*')
    {
    #RDP session
    Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaveActive -Value 0
    Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaverIsSecure -Value 0
    Set-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop\" -Name ScreenSaveTimeOut -Value 86400
    }
}
# Apply this new policy now (immediately after this registry change)
Start-Sleep -s 10
Start-Process -FilePath "rundll32.exe" -ArgumentList "user32.dll, UpdatePerUserSystemParameters 1, True"

And this is what the script is about:

When you type ‘query session’ in a cmd box, you will get your session and possible other sessions in a few lines. Your own session has a ‘greater-than sign’ at the start of the line.

The powershell script reads this output line by line and checks if ‘>console’ or ‘>rdp-tcp’ is present. Now you know if you are dealing with a remote desktop –desktop or a console-desktop. You can now change the lock-desktop behavior depending on the situation by changing the registry items.

But this is only half of the solution.

The real problem was that you have to tell the system that you want the result NOW. This is done by running the last line of the script.

I hope this will help you out.

Solution 2:

So as @ELT comments, you need to put in place a loopback policy, so full set up would be:

  • Create a GPO on the OU of the server.
  • Set the "Enable screen saver" policy at the user configuration branch to "Disabled".
  • At the Computer Configuration branch, set "Configure user Group Policy loopback processing mode" to "Enabled", mode "Merge".

This last policy will force to calculate the settings of this GPO as if the user belongs to the OU where the server is. Therefore, will take "Enable screen saver: Disabled".