A customer had a XenApp environment based on Windows Server 2008 R2 which needed to be upgraded to all the latest versions. This included the server OS used in the XenApp workers.
One of the requirements this customer had was that the session was locked (lock screen) automatically after a certain period of time. For this customer it was not an option to handle this on the client device. They had a BYOD policy, no company managed devices, and they did not want to enforce policies in any way on those devices.
In Windows Server 2008 R2 you could use the Group Policy Objects (GPOs) for this, and more specifically, in the settings found in User Configuration – Policies – Administrative Templates – Control Panel – Personalization.
Here you’ll find the settings related to the Screensaver options. Easypeasy, force the blank screensaver, set a timeout, require password.
In comes Windows Server 2016 and the related .admx files.
If you check the same settings in those GPOs, you’ll find them changed.
So, the settings are obsolete, in other words, do not use them.
The Notes on these settings suggest using the power options, but I didn’t have much luck configuring the individual user’s power settings in server based computing (virtual desktop) environments. Not so easypeasy anymore.
I grabbed Visual Studio and created a little program that will lock the user’s session screen after a certain amount of idle time.
It uses native Windows DLLs to query the user idle time and to lock the session screen.
It is a single executable file that is built on the .Net framework so it will work on any Windows Server operating system.
In the user’s context, start the executable with a single command line argument (parameter) defining the maximum idle time in seconds before the user’s screen will be locked.
<path to>\SetIdleTimeToLock.exe [<idle time allowed in seconds>]
If you do not provide a maximum idle time in seconds, the executable defaults to 10 minutes (600 seconds).
You can reference the executable in a user logon script and define the maximum idle time as a parameter:
In Citrix you can use WEM to create an external task, also defining the maximum allowed idle time as a parameter:
Or simply use whatever solution you have in place for this.
Here’s a screenshot of a demo environment with 5 users logged on:
User 1 has just unlocked his screen.
User 2 is in a screen locked state for about 30 minutes.
User 3 and User 4 have just entered the lock state.
User 5 just logged on.
You say you grabbed Visual Studio to create the executable. What language was the executable programmed in?
I used a C# Windows Forms application template in Visual Studio 2017.
What DLLs do you reference in your code, since you mentioned you referenced native Windows DLLs?
I’m referencing User32.dll for the actual screen locking and for checking user idle time. I also reference Kernel32.dll to throw any errors caused by those two functions.
Have you tested this? In production environments?
Yes, but only with a maximum of 15 users so far. I’m running it in my own labs which I use with multiple users frequently and have not encountered any issues yet.
Can I have the source code?
You can download the executable in the TechNet gallery.
Update (March 17th 2021): TechNet gallery, r.i.p. For now you can find the download in my personal OneDrive here.
Until next time,
https://paypal.me/ArjanMensch BTC: 1AiAL6QDbfNPiduYYEoy3iNS2m6UKJW2He LTC: Lf52uAJiCRQtiegJyKqVvoh4FuvwMkHPae DSH: XnRGpf2v36F5iDT5uFaq7DsHPFF435EPmT ETH: 0x096a12424e991696ad21cfc0e0f3749ab4f8ce1b XMR: 49UCmvAYNxB3voEVbfL8KDENwcg9SE9PeY5jU8YCaHMuLXHapRmfhgHWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3xumqCq