Win7 Screensaver GPO Randomly Not Working

[gimp]

So this is an issue we've been having for a while now, with no rhyme or reason that I can find.

We have a screensaver GPO set for only Win7 machines, and we configured it for the "Blank" screensaver (scrnsave.scr)

On the majority of machines, it works as expected. When going to Personalize, screen saver is set to "Blank."

However, on random machines, the screen saver is set to "None."
Therefore, the screensaver never kicks on (despite having a GPO configuring the timeout for 10 minutes.)

Unfortunately, I have not been able to find a cause. I run gpupdate on affected machines, no change. I run RSOP for the machine, and it displays the GPOs are being applied.

It almost seems the only way to resolve the issue is to reimage the machine, but that's not exactly a preferred "fix."

Our Win7 image is standardized. We apply the same WIM to all machines, along with sysprep and the usual stuff. So our machines are identical regarding the OS.

Any ideas on how to try and find the root cause and a resolution?

 

[bigdogchris]

On an affected machine, from a cmd prompt type in gpupdate /target:user /force

Have another user from the same OU log into one of the machines that's acting up to see if the settings apply to them. If it works for one person but not another (from the same OU) there could be a policy configuration issue.

 

[gimp]

I have one of the affected laptops with me.

I logged in as myself, and it's "None." I run an elevated cmd prompt (although our UAC settings require admin credentials, and I have a different admin account) and run the gpupdate. No change.
Rebooted.

Logged in with 2 different test accounts from another OU, and still "None."

 

[Snowknight26]

gpresult /v

 

[bigdogchris]

I'm sorry, running an elevated prompt will update the account of the administrator you use to elevate UAC. You just need to run it from a normal cmd prompt.

 

[gimp]

gpresult /v

            GPO: Win7HardeningFinal
                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE
                Value:       115, 0, 99, 0, 114, 0, 110, 0, 115, 0, 97, 0, 118, 0, 101, 0, 46, 0, 115, 0, 99, 0, 114, 0, 0, 0
                State:       Enabled

I'm sorry, running an elevated prompt will update the account of the administrator you use to elevate UAC. You just need to run it from a normal cmd prompt.

No change.
As you can see from the gpresult /v above, it says the policy is getting applied.

Oddly, I can't find the "Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE" key anywhere.
The HKCU\Control Panel\Desktop\SCRNSAVE.EXE key only exists in the local admin account where I manually changed the screensaver to Blank

It appears it thinks the GPO is being applied, but it's not actually creating the reg key?

 

[Snowknight26]

Is the GPO a user or computer policy? It could be under HKLM or HKCU depending on which it is.

Is the policy a pre-defined one in the group policy template or are you just writing a registry value? If it's predefined, where in the GPO is it?

Have you checked http://support.microsoft.com/kb/2616727?

 

[gimp]

I believe it's in the same WIn7HardeningFinal GPO that includes everything else.
I believe the screensaver settings (timeout, etc) are in user config, but there's also a WMI-filter to only affect a user if they're on a Win7 machine.

 

[gimp]

Is the GPO a user or computer policy? It could be under HKLM or HKCU depending on which it is.

Is the policy a pre-defined one in the group policy template or are you just writing a registry value? If it's predefined, where in the GPO is it?

Have you checked http://support.microsoft.com/kb/2616727?

It's in the user config, and it is the pre-defined policy "Force specific screen saver" in:
User Config\Administrative Templates\Control Panel\Personalization

We also have the following policies configured:
Enable screen saver - Enabled
Prevent changing screen saver - Enabled
Password protect the screen saver - Enabled
Screen saver timeout - 600 seconds
Force specific screen saver - scrnsave.scr

gpupdate is successful, but the screensaver is still set to "None"

 

[gimp]

bumpity.
Any ideas why the GPO is "getting applied" but not actually creating the reg key?

 

[Quartz-1]

Are the PCs which are not getting updated in a different OU?

 

[gimp]

Are the PCs which are not getting updated in a different OU?

We have dozens of OU's for machines due to the number of divisions in the org.

The issue occurs randomly in what appears to be any OU.

The issue is not specific to any OU, and a lot of machines in all the OUs do get the setting applied properly.