To conform with some new security requirements, my company is implementing Group Policy solutions to existing security vulnerabilities. My current assignment is to find and implement Group Policy settings that will cause the current user session to lock after a configured period of idle time and terminate an inactive user session after a given period of time.
These settings are supposed to apply to all user sessions, local or remote, and are to be enacted in a domain environment (forest) containing a mixture of workstations and servers. I can't, for the life of me, figure out if I just glossed over some obscurely-placed setting, or if such settings even exist.
The Cut-&-Dry (with arbitrary example numbers): User sessions automatically locking after 30 minutes of inactivity. User sessions terminating after 180 minutes of inactivity. Applies to both local and remote user sessions. Is this possible via Group Policy? If so, where are these settings?
Related (but unanswered): Auto lock the screen for any user after specified period of inactivity on Windows 7
Best Answer
Locking a session (either local or remote) is done using the screen saver settings.
User Configuration > Policies > Administrative Templates > Control Panel > Personalization:
Enable screen saver - Enabled
Force specific screen saver - Enabled
Password protect screen saver - Enabled
Screen saver timeout - Enabled
As far as I remember, you need to configure all four.
Also, this policies apply to Server 2008r2 and Win7 - I think XP has other settings.
As for terminating a session, it exists only for remote sessions.
User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits:
Set time limit for active but idle Remote Desktop Services sessions - Enabled
Set time limit for disconnected sessions - Enabled
Terminate session when time limits are reached - Enabled
If you want to do the same for local sessions, you'll need to script it.