Configure Windows Device Inactivity Limit Locally and Domain Wide

Posted on Temitope Odemo By Temitope Odemo No Comments on Configure Windows Device Inactivity Limit Locally and Domain Wide
windows workstations inactivity

In this article i will showing you how to Configure Windows device inactivity limit locally and domain wide. Due to security reasons, it is now important that your computer screen is locked when the system is inactive or idle for some time. Please see How to access shared resources from two different domains, How to demote and remove a Domain Controller on Windows Servers. Read this if you want to Configure Local Administrators Account lockout.

A Windows user can lock a computer screen themselves by using this shortcut key (Win + L). But you can setup your system to auto lock its screen and when your computer is part of a domain system. Please take a look at the YouTube video below for more information.

Then the standard and best approach is to implement a Group Policy that automatically locks the screen of the entire workstations or machines or users on the AD domain.

Configure Windows device inactivity limit locally and domain wide

You can further read about How to add a new Domain Controller to an Existing Domain, and how to Grant Non-Domain Admin Privileges to Manage Workstation,

1. Configure Windows Device Inactivity Limit Locally using Local Security Policy

Run secpol.msc to Open Local Security Policy.

cmd

Expand Local Policies in the left pane and click on Security Options to open the policies on the right pane.

LSP

Scroll down the Policies and click Interactive logon: Machine inactivity limit policy to open its properties.

interactive

Enter a number in the box “Machine will be locked after” for how many seconds of inactivity you can allow before automatically locking your computer. The default is 0 seconds to not automatically lock the computer.

interactive2

Close the Local Security Policy window and restart the computer to apply the configuration.

2. Configure Windows Device Inactivity Limit Locally using Registry Editor

Run regedit.exe to Open Registry Editor and navigate to this registry key location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
registry

In the right pane double click inactivitytimeoutsecs DWORD to modify it.

inactivity

Inside the Value data box enter the inactivity timeout in seconds and click OK. Close the Registry Editor and restart the computer to apply the configuration.

DWORD

Please see How to configure user resource limits and restrictions in Linux, how to Prevent users from saving RDP Credentials on Windows 11, and “Automatically Log Out After a Period of Inactivity on Mac“.

3. Automatically lock your inactive computers in a domain Using GPO

We shall be using GPO to Configure Windows Device Inactivity Limit Locally and Domain Wide.

Open your Domain Controller and launch the Server Manager. Click on Tools tab and select Group Policy Management. Or you can run gpmc.msc to Open Group Policy Management.

GPM

After opening the Group Policy Management then you can create a new group policy. Right-click Group Policy Objects and click New.

GPO

Enter a name for the new group policy. I will use “TechDirectDeviceInactivity” for our GPO.

new GPO

Right-click on the new Group Policy Object created and select the edit option.

GPM2

On the Group Policy Management Editor screen, expand the Computer Configuration and locate the following.

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
securityoption

On the right pane for policy, double-click on Interactive logon: Machine inactivity limit.

GPM Editor

Check the box Define this policy setting and enter the desired amount of inactive time in seconds.

security setting

Click OK and close the Group Policy Management.

Also, see how to Enable Time Limit to Disconnect Remote Desktop After Inactivity, and how to create a Dev Drive on Windows 11.

On the Group policy management right-click the domain and select the option to link the newly created Group Policy object.

link GPO

Link the new Group Policy object created to the selected domain and click OK.

select GPO

After configuring and applying the GPO you need to wait some minutes for the GPO to replicate to other domain controllers and workstations.

But if you want the GPO to propagate immediately then you can run “gpupdate /force” on a specific workstation.

I hope you found this blog post on how to Configure Windows Device Inactivity Limit Locally and Domain Wide Interesting and helpful. If you have any questions do not hesitate to ask in the comment section.

5/5 - (1 vote)
Windows, Windows Server Tags:, , , , , , ,

Related Posts

More Related Articles

Fix Secure Boot certificate expiration Enable Secure Boot: Fix Secure Boot certificates expiration Windows
WDS An error occurred while trying to start the Windows deployment services error 0x906 Windows Server
shrink and create partition How to shrink and create new partition on Windows Server Windows Server
How to Force Stop a Grayed Out Windows Service How To Force Stop A Windows Service When Stop Option Is Grayed Out Windows
How to Install Winget on Windows Server How to Install Winget on Windows Server Windows Server
screensaver1 Prevent Windows Users from Changing the Screen Saver via the Registry Settings Windows

Leave a Reply