Greater than or equal check when using Group Policy Preferences and Item Level Targeting in the Registry

Question

I'm implementing some screen saver configurations via Group Policy Preferences (on Win7 Enterprise x64 desktops). The desired configuration is to have users be able to adjust their screen saver and screen saver time out, but not allow them to select non screen saver or a time out higher than 45min.

I've found a great write-up for configuration of the screen saver (link) but cannot find a way to configure the time out. I cannot find a way to have the item level targeting compare the reg key HKCU\Control Panel\Desktop\ScreenSaveTimeOut value and force an over-write of the key if configured above 45min/2700seconds.

Anyone else tried something like this or found a means to do this?

Answer 1

The simplest thing would be to write a script to accomplish this and have it run on the workstations every so often.

On another note, I would just enforce a reasonable timeout and just teach users to lock their workstations when they step away. (What is reasonable depends on the environment and how long users are sitting at their desks but not actually using the workstation, but 45 minutes seems way too long)

Answer 2

One potential option that could be used: We currently have the "is" and "is not" options available to us in GPP. What you could potentially do is use the "is not" condition to apply the appropriate value. Assuming that the ceiling/max is 15 minutes, if we assumed that most users would potentially set the screen saver value to 5 minutes, 10 minutes or 15 minutes, one could add the following items:

"the string register value at HKCU\Control Panel\Desktop\ScreenSaveTimeOut does not exist or does not have value data 300" (this would be 5 minutes)
AND "the string register value at HKCU\Control Panel\Desktop\ScreenSaveTimeOut does not exist or does not have value data 600" (this would be 10 minutes)
AND "the string register value at HKCU\Control Panel\Desktop\ScreenSaveTimeOut does not exist or does not have value data 900" (this would be 15 minutes)

If none of the conditions apply, then reset the screen saver value timeout to 15 minutes in GPP. You can add more condition cases to suit your environment (for instance if you wanted to also allow 1 minute screen saver timeout options).

From a processing perspective, if the user chooses the default value of 15 minutes, then processing will stop after the first line since ScreenSaveTimeOut would be equal to 900 (15 minutes*60 seconds) and hence the first line would fail short circuiting the AND condition (I am assuming that GPPs use short circuiting).