Re: Automatically locking desktop after a certain period of time
From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: Wed, 2 Nov 2005 15:21:49 -0500
You can even prevent an administrator level user from modifying the Registry. If you use Group Policies to block Regedit, you can't import a REG file. With Regedit anyway. I don't know if the command line version, REG, observes this policy, or not. If not, you could also enforce the policy to disallow REG.EXE to run. And last, but not least, remove Administrators permssions from the Registry keys in question, and only allow System and Administrator write access.
-- Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security Win 95/98/Me/XP Tweaks and Fixes http://www.dougknox.com -------------------------------- Per user Group Policy Restrictions for XP Home and XP Pro http://www.dougknox.com/xp/utils/xp_securityconsole.htm -------------------------------- Please reply only to the newsgroup so all may benefit. Unsolicited e-mail is not answered. "Vanguard (NPI)" <vanguard.code@comcastNIX.net> wrote in message news:%23Al0jH93FHA.firstname.lastname@example.org... > "Doug Knox MS-MVP" <email@example.com> wrote in message > news:%23NZk94%232FHA.firstname.lastname@example.org... > The user shouldn't have write permissions to the Windows\System32 folder, so > they shouldn't be able to rename the SCR file. If you're allowing them to > run as Administrators, then they'll be able to. > > "Vanguard (NPI)" <vanguard.code@comcastNIX.net> wrote in message > news:%23gcVY982FHA.636@TK2MSFTNGP10.phx.gbl... >> "Doug Knox MS-MVP" <email@example.com> wrote in message >> news:uVkrHe82FHA.2524@TK2MSFTNGP10.phx.gbl... >> Since you're on Active Directory, force the use of a screen saver and a >> timeout and password requirement via Group Policies. These settings are >> in >> User Configuration, Administrative Templates, Control Panel, Display. >> >> "sfurney" <firstname.lastname@example.org> wrote in message >> news:CA753ECB-A7B3-406E-A6E1-C40658B041E5@microsoft.com... >>> We are in an educational setting. Staff members periodically forget to >>> lock >>> their computers when they leave their classroom or office. We are on >>> active >>> directory and each staff member is a regular user. Is there any way to >>> have >>> the computer automatically lock after a certain amount of time (like some >>> programs do)? >> >> If the user renames the .scr file, and since it appears the local .scr >> file >> gets used, wouldn't that obviate the screen saver from getting used? It >> might, however, still force a Windows lockout (i.e., Ctrl-Alt-Del window >> appears). The policy should still push the option to password protect on >> triggering the screen saver. Although the screen saver can't run, the >> Windows logon screen should still show up. > > > True, and they cannot use .reg files to update the registry, either, unless > they are admin users. However, "Staff members" gives absolutely no clue as > to which group those users belong or their permissions. > > There isn't even mention if the users are logging in under a domain where > you could push policies (and which, by the way, only get pushed when they > login and can be overridden during that Windows session, like using "regedit > /s <.reg_file>" in the Startup group to undo those one-time pushed policy > settings). So if they are on a domain, they can still override policies. > If not on a domain, they can override local policies or registry edits by > the admin. However, both scenarios do require the user have admin rights to > change the registry. I assumed "Staff members" were more likely to have > admin rights than, say, tutors, students, or other non-staff users. > > If you have admin rights, you can use a .reg file to change registry > settings which even specify which .scr file to load, and you could specify a > bogus filename rather than having to rename the .scr file itself. Because I > have admin rights to my host under the domain login, I can override the > 15-minute policy setting which attempts to use logon.scr to lockup my host. > I have several hosts in my cubicle and cannot have them locked up because > that prevents me from seeing critical e-mail alerts and the status of > currently running jobs. But it did require getting admin rights to my host > under my domain login. > > -- > _________________________________________________ > | ** Reply to the newsgroup. Share with others ** | > | E-mail: Remove "NIX" and add "#LAH" to Subject. | > |_________________________________________________| > >