Configure Windows Device Inactivity Limit Locally and Domain Wide
In this article i will showing you how to Configure Windows device inactivity limit locally and domain wide. Due to security reasons, it is now important that your computer screen is locked when the system is inactive or idle for some time. Please see How to access shared resources from two different domains, How to demote and remove a Domain Controller on Windows Servers. Read this if you want to Configure Local Administrators Account lockout.
A Windows user can lock a computer screen themselves by using this shortcut key (Win + L). But you can setup your system to auto lock its screen and when your computer is part of a domain system. Please take a look at the YouTube video below for more information.
Then the standard and best approach is to implement a Group Policy that automatically locks the screen of the entire workstations or machines or users on the AD domain.
Configure Windows device inactivity limit locally and domain wide
You can further read about How to add a new Domain Controller to an Existing Domain, and how to Grant Non-Domain Admin Privileges to Manage Workstation,
1. Configure Windows Device Inactivity Limit Locally using Local Security Policy
Run secpol.msc to Open Local Security Policy.
Expand Local Policies in the left pane and click on Security Options to open the policies on the right pane.
Scroll down the Policies and click Interactive logon: Machine inactivity limit policy to open its properties.
Enter a number in the box “Machine will be locked after” for how many seconds of inactivity you can allow before automatically locking your computer. The default is 0 seconds to not automatically lock the computer.
Close the Local Security Policy window and restart the computer to apply the configuration.
2. Configure Windows Device Inactivity Limit Locally using Registry Editor
Run regedit.exe to Open Registry Editor and navigate to this registry key location.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
In the right pane double click inactivitytimeoutsecs DWORD to modify it.
Inside the Value data box enter the inactivity timeout in seconds and click OK. Close the Registry Editor and restart the computer to apply the configuration.
Please see How to configure user resource limits and restrictions in Linux, how to Prevent users from saving RDP Credentials on Windows 11, and “Automatically Log Out After a Period of Inactivity on Mac“.
3. Automatically lock your inactive computers in a domain Using GPO
We shall be using GPO to Configure Windows Device Inactivity Limit Locally and Domain Wide.
Open your Domain Controller and launch the Server Manager. Click on Tools tab and select Group Policy Management. Or you can run gpmc.msc to Open Group Policy Management.
After opening the Group Policy Management then you can create a new group policy. Right-click Group Policy Objects and click New.
Enter a name for the new group policy. I will use “TechDirectDeviceInactivity” for our GPO.
Right-click on the new Group Policy Object created and select the edit option.
On the Group Policy Management Editor screen, expand the Computer Configuration and locate the following.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
On the right pane for policy, double-click on Interactive logon: Machine inactivity limit.
Check the box Define this policy setting and enter the desired amount of inactive time in seconds.
Click OK and close the Group Policy Management.
Also, see how to Enable Time Limit to Disconnect Remote Desktop After Inactivity, and how to create a Dev Drive on Windows 11.
4. Link an Existing GPO in your domain.
On the Group policy management right-click the domain and select the option to link the newly created Group Policy object.
Link the new Group Policy object created to the selected domain and click OK.
After configuring and applying the GPO you need to wait some minutes for the GPO to replicate to other domain controllers and workstations.
But if you want the GPO to propagate immediately then you can run “gpupdate /force” on a specific workstation.
I hope you found this blog post on how to Configure Windows Device Inactivity Limit Locally and Domain Wide Interesting and helpful. If you have any questions do not hesitate to ask in the comment section.
