In this post we will see how to lock computers in domain via group policy. Most of the companies today want the computers to be locked out after specific interval of time or after specific duration of inactivity on the computer. The employees are advised to lock their computer before they step away from the computer but if the employee steps away without locking the computer it could lead to unauthorized access to domain workstations within your organization. With the help of group policy the administrator can define settings to automatically lock the computer after the specified amount of minutes. This will prevent the unauthorized access to the computer even though the employees forget to lock their computers.

Most of the companies have a branded screen saver that displays their company logo along with company information. In this post we will using one of the screen saver that comes with windows operating system.

In this post we will be using a screen saver so that after the inactivity timeout on the computer, the computer gets locked and a screen saver is displayed. When clicked on the screen saver, the computer should prompt the user to enter the credentials to login. Windows server 2008 R2 comes with few inbuilt screen savers, we will be using one of them. The screen savers can be found in \Windows\Winsxs\ and look for .scr files.

Lock Computers In Domain Via Group Policy-Snap7
Once you have found the screen saver, copy the screen saver file to a shared folder. The clients would be displaying the screen saver from this path.

Lock Computers In Domain Via Group Policy-Snap8

Open the Group Policy Management, right click on your domain and click on Create a GPO in this domain and link it here. Provide a name to the policy such as Screensaver Policy and click on OK.

Lock Computers In Domain Via Group Policy-Snap1
Right click the Screen saver policy and click on Edit. The Group Policy Management Editor opens in a new window, expand User Configuration, expand Policies, expand Administrative Templates, expand Control Panel and click on Personalization. We will configure the policy settings now.
Lock Computers In Domain Via Group Policy-Snap2
Double click on Screen saver timeout. This settings specifies the amount of time after which the screen saver must be launched. Click on Enabled to enable this policy setting, and set the time after which the screen saver should appear. In this example i will set the idle time to 60 seconds, which means if the computer is idle for 60 seconds the screen saver will be shown.  Click on Apply and OK.
Lock Computers In Domain Via Group Policy-Snap3
Double click the policy setting Force specific screen saver. This setting if enabled displays the screen saver specified in the policy setting. Click on Enabled, provide the path where the screen saver file is located. Click on Apply and OK.
Lock Computers In Domain Via Group Policy-Snap4
Double click the setting Enable Screen saver, click on Enabled, this setting will enable the screen saver. Before you enable this setting you must specify the screen saver executable path and screen saver timeout must be configured.
Lock Computers In Domain Via Group Policy-Snap5
Double click the setting Password protect the screen saver and click on Enabled. This setting will make all the screen savers password protected. If this policy is not configured, then the password protection cannot be set on any screen saver. For this setting to work correctly, make sure you have enabled the policy setting Enable screen saver and Screen saver timeout. Click on Apply and OK.
Lock Computers In Domain Via Group Policy-Snap6
After exactly 60 seconds (Screen saver time out) the screen saver is enabled and the computer is locked.
  • Karthik

    Thank you..I’m new to server and AD..Started learning SCCM..I’m impressed with your dedication,knowledge and contribution to people.

  • Anil yadav

    Hi Prajwal,

    Really helpfull to me and many thanks for your support and contribution.



    Thanks a lot this suggestion.

    i need one help more and that is how to give printer to all user from server. I mean when user login they get the printer which is instaled in server.


    • Do you mean to say that you want the printer to be listed in active directory ? What is your current environment ?

  • Jeff

    Thanks for the directions, they worked great!

    Is there a way to have this overwrite a computer that previously had a lockout time? For example, mine was previously set to 1 minute which still locks out at 1 minute even though the GPO changed the setting to 5 minutes.

    • If the screensaver is not getting applied as per the policy, do a gpupdate /force or restart the machine. If the issue still persists then unjoin the computer from the domain and join it back.


    Thanks PD.

    i am trying to apply on a computer OU..specific computer. it is not getting applied.

    Any suggestion.

    • Have you checked if the group policy is applied to client machine ? Check RSOP on client machine (rsop.msc)

    • Alex

      If you’re applying user settings to a computer OU, you’ll need to enable group policy loopback processing

  • Mohan

    Can we do deploy screen saver through SCCM.

  • Shy

    Dear Prajwal i configured like this but my all users pcs are locking after 30 second and i set the timing of 120 second. i restarted the server and user pc also but still same problem
    now i remove all the configuration but still pcs are locking after 30 second please help me
    i am waiting for your reply please reply me ASAP.

    Thanks in advance

    • Jerry Cabrera

      I am having a similar issue, I have ours set to 130 minutes but it locks after 2 minutes of inactivity. were you able to find any answers?

  • Jerry Cabrera

    Having a similar issue to Shy, where as we have set GP to 130 minutes but it locks after 2 minutes of inactivity.

    • Léon Lamothe

      the setting is in seconds… 130 seconds = 2 minutes

  • Daniel Nitecki

    Thanks for the info, your site is very helpful.
    However, you should really look in to however you’re monetizing as the vast majority of the ads I’m getting are spammy, at best – Lots of fake “Update Required” type stuff…

    • @Daniel – The ads are bidvertiser ads and I have checked with them on this and they have confirmed that ads are harmless.

  • John

    I have an AD policy to lock the screen on a workstation and when it invokes rundll32 user32.dll,LockWorkstation there is a ding or windows startup like sound (Windows 7) when the screen locks. Is there anyway thru policy to turn off just that sound?

  • John

    I have an AD policy to lock the screen on a workstation and when it invokes rundll32 user32.dll,LockWorkstation there is a ding or windows startup like sound (Windows 7) when the screen locks. Is there anyway thru policy to turn off just that sound?

    • Hi John, those are the sounds defined by Microsoft when an event happens, they differ on the Themes that you install . Those settings can be found under Control Panel > Sound. I am not aware of any policy that can disable this setting on group of computers.

  • You could create a GPO and configure the settings to lock computers. Apply this GPO to specific OU’s. You could exclude them from OU (computers) where you don’t want this policy to be applied.

    • Amit

      I tried this but the lock computers settings are part of the user configuration and not within computer configuration.
      So, we have this GPO that is applied to our domain with security filtering of authenticated users. I have added computers that do not need the lock policy to an OU and have also enabled this GPO on this OU but i have enabled loop back processing with merge mode enabled. I am hoping that this works in excluding these computers. is this the right approach?

  • Hi Prajwal… Can you tell me if this would also apply to Windows 10 or is there a different method for doing the same thing?

  • Nick Cappello

    Prajwal, I love the ease in the way you did this, but is there a way to also lock the users out from being able to set their own timeouts via GPO?