Thursday, January 26, 2006

Installing the winexit screensaver using AD Group Policy

I was asked last week to create an install package that would enforce what my company calls an electronic clean desk policy. I work for a large Business Process Outsourcing company that does quite a bit of data entry – mostly outside the U.S. We have about 20,000 employee doing data entry. Most of the data entry is done from scanned images. Those scanned images can be health claims, insurance claims or credit card applications. We call the images/data PII or Personal Identifiable Information. If the image or data contains a first name, last name and identifying number, then it’s classified as PII.

Our electronic clean desk policy states that PII must be shredded from a workstation after the employee has finished their shift. It also states that the shred should be automatic, if a user fails to do it manually. Our data-entry is done using internet explorer, so the images and data is cached in the user’s profile. This is either in the temp folder or the Temporary Internet Files.

My solution was to create a logoff script that uses SDELETE.EXE from The logoff script will shred everything in the temp and Temporary Internet Files when a user logs off. Data Entry Operators are requested to logoff whenever they leave their workstations.

If a user forgets to logoff, then the computer must automatically logoff. The only way I found to do this was to use the Windows Logoff Screensaver that is included in the 2003 Server Resource Kit.

The screen saver has problems. For one thing, there is no good way to distribute it. It just comes as a .scr file. It would be impossible to copy it to every workstation. The other problem is that it has a significant bug. It requires read/write access to a registry key as described in KB Article 15677. I found a way to get around these issues. I created an MSI file that will create the required registry key, and then give all users access to it. The MSI file can be deployed as a package within AD.

I have supplied the installation package which includes the logoff script and install instructions and the screensaver HERE. Before you can deploy this in a domain, you have to edit the MSI file so that it includes your domain name within the MSI. Everything you need to deploy the Windows Exist Screensaver is in the package. It’s a little complicated, but it should only take about an hour to deploy.

The package also includes a group policy administrative template. The template originally came from David Carlin and posted on his blog at

Let me know what you think.


Jeff Shaw said...

Thanks for the post. I've found I need this exact thing for a customer of mine; I've d/l and will deploy soon.

Thanks again!

Salvatore said...

Thanks TJ!! It worked great!!

Anonymous said...

Thanks TJ