Wednesday, March 07, 2012

How to save my screen

Hello there. Often I see questions regarding the screen saver configuration and how to deploy different settings based on computers and not users… Here’s my ultimate guide on
  • What choices do I have?
  • How does each choice work?
  • What are advantages and disadvantages of each choice?
There’s more than one way to configure screen savers, but in corporate environments, you will obviously use Group Policy Administrative Templates to deploy your screen saver settings to your users - most times, at least. Here are the settings we need:

These are user settings. So how am I able to deploy different settings (e.g. different timeout values) to the same user based on the computer this user logs on to? There are several possibilities, three of them I’ll explain now.

Apply WMI filtering to the GPO

WMI filters allow you to filter on  properties of “whatever” on the local computer. The presence or content of these properties will determine whether the filter evaluates to “True” (GPO gets applied) or “False” (GPO is skipped).
As we want to target on different computers, we can use a filter for Win32_Computersystem.Name:
Select * from win32_computersystem where name=”WS01”

This simple filter checks for the given computer names and applies the GPO if a match is found.
WMI filtering has 2 disadvantages:
  1. Filtering may become a performance issue. The filter has to be evaluated, and this takes time. Depending on the filter this could be up to 30 seconds (filters lasting longer are aborted – but that’s undocumented at the time of this writing).
  2. For each and every new workstation, you have to edit the filter again. It’s not possible to use a group here, and it’s also not possible to use environment variables (like “%computername%).

Enable Loopback processing

In a previous post, I explained how loopback processing works. So in short: Enable loopback for all computers in question (“Merge” mode I would suggest) and link the screensaver GPO to your computers OU instead the users OU.

This will result in the following GPO application order:

Assume your corporate screen saver settings reside in the “Users Policy” (green) - these are now overwritten with the specialized settings in “Corp Screensaver Policy” (red), but only for computers that
  1. Have loopback enabled
  2. Belong to “Corp Screensaver Computers”
The first is obvious, for the second read more at (the article does not mention “Merge” or “Replace” mode, but this behavior is only true for “Merge” mode).

Skip Administrative Templates, use Preferences!

Starting with Windows Vista, Group Policy Preferences showed up in domain based GP editor. These enable us to configure a huge variety of settings previously unavailable in Group Policy. My favorite among these are Group Policy Preferences “Registry”. But how can I use these to configure the screen saver?
Administrative templates are nothing but a bunch of registry values. And the screen saver does not care about “who set this timeout value”, it only cares about “what timeout is set”. To use preferences, we first need to know what registry values are involved. Since we already created a GPO containing our settings, these can be extracted from registry.pol (the file in the GPOs folder in sysvol holding ADM template registry values). This file is well documented:
(A different approach would be extracting the values from the admx templates, but since there are 149/157 admx templates in Win7/R2, this could be a tedious job...)
The easiest way to find the registry.pol for a given GPO is: Edit the GPO in question, navigate to Policies - Windows-Settings – Scripts, double click one of the entries in the right pane and then click “Show Files…”. This opens an explorer window where you navigate two folders upwards.

The registry.pol file can be opened with notepad, but as it is a mixup of ANSI and Unicode – the first 4 characters are ANSI “PReg”, all registry keys and values are Unicode – it looks somewhat unreadable.

or my own script I wrote several years ago (that one is able to WRITE registry.pol also - The site is german, but the download also includes an english readme.)

So there’s a value called “ScreenSaveTimeOut” of type REG_SZ (interesting – the timeout  is a number, shoulnd’t it then be REG_DWORD?), and this value we are going to deploy through GPP Registry instead of ADM Templates.
We now have the full power of GPP Item Level Targeting at hand to select who may (or may not) receive this value.
  • Filter for security group membership of the computer
  • Filter for date or time
  • Filter for the result of LDAP queries against AD
  • Filter for Sites

And remember: All of this not only applies to screen saver settings. It applies to all settings you have in administrative templates - well, "almost" all of them.
That’s all for now, enjoy your new screen saver settings!