How Can I Lock a Workstation After Five Minutes of Inactivity?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I lock a workstation after five minutes of inactivity, something recommended to us by our auditors?

— NM

Spacer Hey, Scripting Guy! Answer Script Center

Hey, NM. To tell you the truth, we don’t know. Locking a computer remotely can be a bit of a problem; for more information on that, take a look at one of our columns from a year ago. On top of that, you face the problem of deciding whether or not a computer is idle. Because you can’t monitor for keystrokes or mouse clicks, about the best you can do is check the CPU usage and make a guess as to whether the computer is idle. That might work, but you’d have to constantly monitor the computer and continually make a determination as to whether the machine is idle or not. There has to be a better way.

And there is. After all, the computer can already monitor and lock itself after 5 minutes of inactivity: all you have to do is password-protect the screensaver and set the screensaver timeout value to 5 minuets. If the computer sits idle for 5 minutes the screensaver will kick in and the computer will be locked, which sounds like the very thing recommended by your auditors.

Best of all, you can use scripts that directly modify the registry in order to configure the appropriate screensaver settings on all your computers. For example, here’s a script that enables password-protection on the screensaver:

This script starts off by defining a constant named HKEY_CURRENT_USER and setting the value to &H80000001; this lets the script know which registry hive we want to deal with. We then use this line of code to connect to the WMI service and to the Standard Registry Provider class (StdRegProv):

Next we assign values to three different variables:

strKeyPath. The path – within HKEY_CURRENT_USER – to the registry key that needs to be changed. For the screensaver, that path happens to be Control Panel\Desktop.

ValueName. The registry value to be changed. To enable password protection we need to change the ScreenSaverIsSecure value.

strValue. The new value to be assigned to ScreenSaverIsSecure. Set ScreenSaverIsSecure to 1 to enable password protection; set it to 0 to disable password protection.

All we have to do then is call the SetStringValue method and pass it all the defined parameters:

And there you go. The next time the user logs on, the screensaver will be password-protected.

Note. Yes: although the registry is changed immediately the change won’t take effect until the next time the user logs on. Because of that, you might want to include this code in a logon script; in that case, the registry gets configured before the user logs on. Alternatively, you can make the changes and then forcibly log the user off; check the Microsoft Windows 2000 Scripting Guide for information about logging a user off a computer.

Of course, before you log the user out you might also want to configure the screensaver timeout value to 5 minutes. Here’s a script that does just that:

You’re right: it’s almost exactly like the first script we showed you. In fact, there are only two differences:

The registry value we’re changing is ScreenSaveTimeout (still found in the Control Panel\Desktop key).

The new value being assigned to ScreenSaveTimeout is 300. Screensaver timeouts are stored as seconds: 300 seconds equals 5 minutes (300 divided by 60 = 5). If the auditors recommend a three-minute timeout value then set ScreenSaveTimeout to 180 (60 seconds times 3).

And there you have it. Your computers will be locked after five minutes of inactivity, and you don’t have to write any complicated monitoring/remote locking scripts.

And since you asked, yes, the Scripting Guys are very grateful that they don’t get locked out after 5 minutes (or even 5 hours) of inactivity.


No Comment.