How to circumvent or alter screen timeout group policy when not on the domain?

I've been asked to look into a solution for our remote laptop users who are trying to give presentations in Powerpoint and Excel when at customer sites. We are running a Server 2008 /Win 7 environment. We have a group policy that locks everyone's PC after 5 minutes of inactivity and requires a password to log back in. I've been asked if I can change this setting for users on laptops when they log in but are not locally on the domain. They would like to be able to adjust it so that the screen does not lock when they are giving presentations in PP, word, or Excel. As far as I know powerpoint diables the screensaver while in full screen mode, but I'm not sure how to achieve this with the other programs. I've tried looking at presentation mode on the laptops, but because of group policy the setting to "disable screen saver" is greyed out. Any ideas? Thanks.


Solution 1:

I've been able to demonstrate to myself that the presentationsettings tool that I originally suggested does "respect" the Group Policy settings that prevent a user from changing their screen saver. I wasn't aware of this behavior but it certainly makes sense, given that users would just use this tool to exempt themselves from screen savers when nothing presentation-related was happening.

As @HopelessN00b mentions you may want to change the Group Policy, as it applies to the "remote" laptop computers. You'll need to invoke Loopback Policy Processing because screensaver settings are per-user, not per-computer. Loopback Policy Processing allows you to apply user settings to a computer irrespective of the user who as logged-on.

The feature is, unfortunately, confusing to a lot of people. It has a couple of different "modes" (Merge versus Replace) that make it even more confusing. For your application, you could create an link a GPO to a hyopthetical "Remote Laptop Comptuers" OU that enables Loopback Policy Processing in "Merge" mode in its "Computer Configuration" section and, in its "User Configuration" section, sets the screensaver properties to whatever you'd like. When next those machines are rebooted (because the switch from non-Loopback to Loopback requires a reboot-- background policy refresh won't enable it) you'll see the machines begin to pick up the screensaver settings from this new GPO.

Short of writing some kind of hackish client-side service program to reach into the user's registry and toggle the Group Policy screen saver restriction value (since the user can't do it themselves because of registry permissions) I think you're stuck in a situation where you're going to have to choose the lesser of the evils and either disable screen saver restrictions for users on the laptop computers, use some third-party "mouse jiggler" or keyboard simulation software, or just tell the users to live with it.


Edit:

There any number of third-party programs that can do what you're looking for, but there's a certain "elegance" to doing things with only built-in OS components.

Here's a little VBScript program, suitable for execution by wscript.exe (meaning that you could deploy this w/ Group Policy Preferences directly into the computer's "Startup" folder) that should do what you're looking for, assuming that your domain's DNS name isn't able to be resolved externally to your network. (If it is able to be resolved externally then, frankly, you get what you deserve.)

This script sits in a polling loop, using nslookup to resolve the domain named in the USERDNSDOMAIN environment variable. It polls every 10 seconds, but you can modify that by altering the Const POLL_DELAY line. (The strange gyration of executing itself again is necessary because, if executed only by wscript.exe, a window will briefly appear on each polling interval-- not a good thing at all.)

When the domain name doesn't resolve the "F15" key is "pressed", causing enough activity that Windows will not activate the screensaver.

This script was tested on Windows 8.1 x64 logged-on with a domain user who had a Group Policy Object applying to them that included the Administrative Template settings:

  • Enable screen saver - Enabled
  • Prevent changing desktop background - Enabled
  • Prevent changing screen saver - Enabled
  • Password protect the screen saver - Enabled
  • Screen saver timeout - Enabled - 30 seconds
  • Force specific screen saver - Enabled - scrnsave.scr

My test methodology was as follows:

  • Place the program, named ss.vbs, into the computer's "Startup" folder
  • Logon to the computer as a user with the above Group Policy settings applied
  • Verify that the screen saver starts after 30 seconds of inactivity
  • Unlock the machine
  • Disconnect the computer's network interface card
  • Verify that the screen saver does not start after several minutes of inactivity
  • Reconnect the computer's network interface card
  • Verify that the screen saver starts after 30 seconds of inactivity
  • Logoff to verify that the script doesn't "hang" or otherwise disturb the logoff process

On a Windows 8.1 x64 machine the script is doing exactly what I want.

Option Explicit

' Delay, in seconds, between attempts to resolve the domain name 
' and pressing the "F15" key.
Const POLL_DELAY = 10

Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")

Dim objExec
Dim intFound

If UCase(Right(WScript.Fullname, 11)) = "WSCRIPT.EXE" Then
    While 1
        intFound = objShell.Run("cscript.exe """ & WScript.ScriptFullName & """", 0, True)

        If intFound = 255 Then objShell.SendKeys("{F15}")

        WScript.Sleep(POLL_DELAY * 1000)
    Wend
Else
    Set objExec = objShell.Exec("nslookup " & objShell.ExpandEnvironmentStrings("%USERDNSDOMAIN%"))

    While Not objExec.StdOut.AtEndOfStream
        If Left(objExec.StdOut.ReadLine, 5) = "Name:" Then WScript.Quit(0)
    Wend

    WScript.Quit(255)
End If

Solution 2:

The typical way of handling this is a separate set of policy for users or machines defined as "remote" workers. We, for example, have an OU named Remote Laptop Users which allows those user more control over display and power settings, for exactly this reason. (You can also use WMI filtering or security filtering to achieve the same results, if you don't want to, or can't change the OUs these objects are in).

If you can get your users to use the presentation settings tool suggested by Evan Anderson, that's great, but my experience is that the users who complain about this type of thing are also the ones who won't lift a finger to fix the problem, and expect IT to fix it for them, so you may end up having to fix it for them, with a different GPO.