Access Denied - 23 Jan 2001

I'm trying to use a group policy to enforce a password-protected screen saver for users in my domain. Although I enforce a screen saver in the \\ default domain policy\user configuration\administrative templates\\control panel\display folder, the screen saver is never activated. How can I activate the screen saver? Also, can I specify how long the workstation must be inactive before the screen saver is activated?

Enforcing a password-protected screen saver is important because many users don't like the nuisance of unlocking their workstations after they've been away from it. As a result, some users disable the screen saver, which leaves their workstations open when unattended.

Windows 2000 Service Pack 1 (SP1) solves this security problem. Before SP1, the Display folder of a Group Policy Object (GPO) offered four screen saver policy settings:

  • Hide Screen Saver tab
  • Screen saver executable name
  • No screen saver
  • Password protect the screen saver

Although Microsoft doesn't document the bug in the service pack's list of bug fixes, pre-SP1 Win2K doesn't properly configure the screen saver when you use these group policy settings. For some reason, the screen saver you specify with a group policy takes effect only on user profiles in which the user has previously opened Control Panel and configured a screen saver. SP1 fixes this problem and replaces No screen saver with Activate screen saver. SP1 also adds a new policy called Screen Saver timeout, as Figure 1 shows.

So, you now have five screen saver policies that you can use to ensure that unattended workstations automatically lock the console. For example, you can use the Hide Screen Saver tab policy to prevent users from accessing and disabling their screen saver settings. However, you still need to specify a screen saver. To specify a screen saver, you must specify the filename of a screen saver in the Screen saver executable name policy. Screen savers that come with Win2K exist in the \%systemroot%\system32\config folder. I recommend using default.scr: It's boring, but it doesn't use unnecessary CPU cycles drawing 3-D images on your screen. Next, you need to enable the Activate screen saver and Password protect the screen saver policies, then specify the number of seconds to wait in the Screen Saver time-out policy. Be sure to make these policy changes in a GPO linked to the appropriate level of your domain. If you want to apply this policy to every user in your domain (including you), define the policy in the Default Domain Policy linked to the root of your domain. Otherwise, use a GPO linked to the organizational unit (OU) that contains the users you want to configure.

I've set up a new Win2K domain controller (DC). When I try to use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, the console works (e.g., I can create and change user accounts and groups), but everything is extremely slow. Why is Active Directory (AD) running so slowly?

Your system is probably the first DC in a new domain forest, which means that this system is also a DNS server (Win2K automatically installs the DNS server when you create a new AD forest). The problem is that Win2K didn't configure the local TCP/IP client to use the DNS service on the local system. Although the Active Directory Users and Computers snap-in and other tools still work in such a situation, they slow down tremendously.

To fix this problem, go to the Control Panel Network and Dialup Connections applet. Double-click Local Area Connection, then click Properties, as Figure 2 shows. On the Local Area Connection Properties dialog box, which Figure 3 shows, select the Internet Protocol (TCP/IP) option, then click Properties. On the Internet Protocol (TCP/IP) Properties dialog box, which Figure 4 shows, copy your system's IP address to the Preferred DNS server address box.

If you've already configured a preferred DNS server, which you must do so that your system can find systems on your network or the Internet, you need to configure your local DNS service to forward unresolved queries to your original DNS server. To configure your local DNS server, open the MMC Administrative Tools snap-in, then expand your DNS server. Right-click your server, then select Properties. On the server Properties dialog box, click the Forwarders tab, then add your DNS server to the list, as Figure 5 shows.

I'm testing a lot of new group policies; after every change, I need to reboot to force Win2K to reapply group policy. How can I force Win2K to apply a group policy immediately?

Win2K applies the Computer Configuration portion of group policy when a system starts up and the User Configuration portion whenever a user logs on. After that, Win2K reapplies group policies every hour and a half for member servers and workstations and every 5 minutes for DCs. When you're working with group policy, you can't restart or log off every time you make a change, nor is it effective to wait for the next refresh. Thankfully, you have two options for speeding up the process: Assign a GPO to refresh group policy every 7 seconds, or refresh group policy on demand from the command line.

You can configure your test system to refresh group policy every 7 seconds. To configure your system, you need to assign a GPO to your test system. The easiest way to assign a GPO is to create a new OU, put your test system in it, and create a new GPO linked to the OU. In this GPO, drill down to \computer configuration\administrative templates\system\group policy, then set the refresh interval to 0 minutes, as Figure 6 shows. Now your system will almost immediately see new group policy changes in Computer Configuration and apply them. If you want the same behavior for User Configuration, you need to move your test user account to this OU and set the same refresh interval in the same place under User Configuration. Although this method is convenient, be aware that you'll create a modest but constant load on both your test system and the DC the system will constantly query. Therefore, I prefer a second option.

To refresh group policy on demand for Computer Configuration, open a command prompt, then type

secedit /refreshpolicy machine_policy

If you changed a User Configuration setting, type

secedit /refreshpolicy user_policy

Although some Win2K documentation states that the Secedit command refreshes only security settings, it actually initiates a group policy refresh.

I need to assign different password and account lockout policies to certain classes of users in my domain. I've created an OU for each class of user; using a GPO linked to that OU, I've set the appropriate minimum password length, complexity requirements, account lockout thresholds, and other policies in the \computer configuration\\windows settings\\security settings\account policy folder, but the policies have no effect. How can I configure such policies?

Unfortunately, you can't. This area is one in which Win2K doesn't offer an improvement in granularity over Windows NT. Like NT, you can have only one set of account policies for all users in the domain. Although you're assigning different account policies to each OU, AD, which controls user logon for domain accounts, looks only at the GPO linked to the root of the domain. When you configure this area of group policy, which Figure 7, page 7, shows, on OUs and sites, it affects only local users in workstation and member server SAMs. If you absolutely require different account policies for a set of users, you must create an additional domain to contain them.

Another possibility is a Winlogon notification package, which is a user-supplied DLL that Win2K calls whenever users change their passwords. For clients who need only customized password age, history, or content requirements but can live with everyone being subject to the same lockout policy, I've built a notification package that implemented these requirements on a user-by-user basis. (For more information about Winlogon notification packages, go to

Tip: To edit a GPO such as the Default Domain Policy GPO, open the MMC Active Directory Users and Computers snap-in, then select the root of the domain. Right-click the domain, then select Properties. On the Properties dialog box, click the Group Policy tab, then click Edit.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.