It’s a best practice to lock your computer when you step away from your desk, even if it’s just for a short time. Unfortunately, not everyone follows this practice, which can leave your computer unprotected and vulnerable to data leaks.
To address this, you can create a Group Policy Object that will automatically lock your workstation after a specified period of inactivity, anywhere from 1 second to a maximum of 86,400 seconds (24 hours). Let’s see the steps on how to configure this.
Create a Group Policy Object
To create a Group Policy object (GPO) and configure this setting. Follow the below steps:
- Login on a Domain controller and Open Server Manager.
- Click on “Tools” and click on Group Policy Management.
- Right-click on Group Policy Objects > Click on New.
- Provide a Name of the GPO. For Example Workstation_AutoLock_Policy. Click on OK.
- Right-click on “Workstation_AutoLock_Policy” and click on Edit.
- Navigate to User Configuration > Policies > Administrative Templates > Control Panel > Personalization and Enable below settings:
- Enable Screen Saver: Enabled
- Password Protect the screen saver: Enabled
- Screen Saver timeout: Enabled (Provide the timeout value in Seconds. For Example: To activate the lock screen after 20 minutes of Idle time, provide a value of 1200).
- The next step is to Enable one more setting called “Loopback processing mode”. This is required when you are creating a GPO based on User configuration and Linking that GPO to Workstations/Computers OU.
- Go to Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure user Group Policy loopback processing mode: Enabled, Mode: Merge
- Once you have configured all settings in this GPO, Link it to an OU containing Computers. To link this GPO with an OU. Right-click on it and select “Link an Existing GPO...”.
- Select the “Workstation_AutoLock_Policy” policy and click on OK.
- Workstation_AutoLock_Policy policy has been Linked to Workstation OU.
End-user Experience
To apply this policy, a reboot of the target device is recommended. After successful implementation, users will see a lock screen when their idle time reaches the duration specified in the ‘Screen Saver timeout‘ setting.
If you encounter any issues with the GPO not applying to the device, you can resolve it by opening a command prompt with administrator privileges and running the ‘Gpupdate /force‘ command. This command will retrieve the latest policies for the device and ensure their application.
To confirm that the Group Policy has been applied to the target workstation, follow these steps:
- Press Win + R keys to open the Run dialog box.
- In the ‘Run’ box, type ‘rsop.msc‘ and press Enter.
- Navigate to the Screen saver group policy settings as configured using a GPO to find the applied policy settings on your device.