4

We need to configure the screen lock timeout on our laptop machines so that the inactivity time dynamically changes according to the connection: if the laptop is directly connected to the corporate network through Ethernet, then the screen should lock after 15mn, but in any other circumstances (laptop either not connected to any network, or connected but through VPN) this time should be reduced (let's say, down to 5 minutes)...

All client machines run on Windows 7 or 10 Enterprise.

Please note that this has to be independent of the power options, and that the screen lock timeout could change several times during a single user session. For example, a user removes his/her laptop from its docking station (screen lock timeout gets changed from 15mm to 5mn), then later on shuts it down, boots it while disconnected from the network (still 5mn screen lock timeout), works a while through VPN (still 5mn), then puts it back on the docking station and the laptop reconnects to the corporate network through Ethernet (screen lock timeout back to 15m)...

GPO's administrative templates don't allow for configuring the screen lock based on the network connection. Any ideas of the best ways to implement this?

So far, I was thinking about using event-triggered scheduled tasks. But I do not know what events could be used to accurately link such task triggers...

SamErde
  • 3,324
  • 3
  • 23
  • 42
MXM
  • 51
  • 3
  • 1
    If you can't find events to trigger it, you could perhaps write a powershell script or something that runs every five minutes to check the active network connection. – Todd Wilcox May 02 '19 at 13:18
  • You can check for event 10000 and 10001 from network and distinguish between the networks by (ab)using the "only if connected to network xxx" dropdown menu, maybe – Lenniey May 02 '19 at 13:21
  • Can't you link GPO's to AD's Sites and Services? I assume that then a specific GPO that allows a longer idle timeout will only apply when the laptop is known to be connected to your corporate network... – HBruijn May 02 '19 at 13:28

1 Answers1

0

One way that you could accomplish this is by monitoring NetworkProfile event IDs 10000 and 10001, and running a script after each instance of these events.

To set a 5 minute screen saver timeout when a user has disconnected from the network, create a new scheduled task, give it a relevant name, and for the trigger, select "When an event is logged." Then specify on the next screen:

  • Log: Microsoft-Windows-NetworkProfile/Operational
  • Source: NetworkProfile
  • Event ID: 10001 (Network Disonnected)

For the action, use a PowerShell script (or whatever you're comfortable with) to set the screen saver timeout period.

To set a 15 minute timeout for trusted networks, you'll need to do a little more legwork to figure out if you have consistent enough network names or IP ranges to identify as your trusted networks for the purposes of this script. When this event is triggered, you can check the network name from the most recent event ID 10000, and reduce the screen saver timeout if the network name is trusted.

Of course, both of these are not foolproof. A network name could always be spoofed or incidentally match the name of your trusted network. One possible way that you could cover for this is to (1) check for a network name that matches the name of your internal domain, and then (2) use the Get-ADDomainController PowerShell cmdlet to see if you can reach a domain controller and confirm that you actually are connected to this network.

There may be other/better methods, including possibly Group Policy preferences with item level targeting. Again, there are challenges around timing (how often it re-evaluates and re-applies policies) and how you identify the current network state. ILT with WMI queries would probably be the closest, but this approach would not be as "real-time" as using tasks triggered on logged event IDs.

There's no script for you here, but hopefully this gets things going in the right direction if you (or anybody else) is still looking for a solution.

SamErde
  • 3,324
  • 3
  • 23
  • 42