How to Configure Automatic Session Lock via Group Policy in Active Directory

Open the Group Policy Management Console with administrator privileges. This is your central hub for managing all domain policies.

gpmc.msc

Alternatively, navigate through Start Menu → Administrative Tools → Group Policy Management. The console will display your domain structure with all existing GPOs and organizational units.

Create a dedicated GPO for session locking policies. Right-click on your target Organizational Unit and select "Create a GPO in this domain, and Link it here." Name it descriptively, such as "Workstation Security - Session Locking".

For PowerShell automation, use this command:

Import-Module GroupPolicy
New-GPO -Name "Workstation Security - Session Locking" -Domain "yourdomain.com"

Replace "yourdomain.com" with your actual domain name. This creates the GPO but doesn't link it yet.

Right-click your newly created GPO and select "Edit" to open the Group Policy Management Editor. Navigate to the computer configuration security settings:

Path: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options

This path contains system-level security policies that apply regardless of which user logs in. The computer configuration ensures consistent enforcement across all user sessions on the workstation.

Scroll down to locate the "Interactive Logon: Machine inactivity limit" policy. This is the primary setting for automatic session locking in modern Windows environments.

Double-click "Interactive Logon: Machine inactivity limit" to open the policy settings. Check "Define this policy setting" and enter your desired timeout value in seconds.

Common timeout values:

• 900 seconds = 15 minutes (recommended for most offices)
• 1800 seconds = 30 minutes (for less restrictive environments)
• 600 seconds = 10 minutes (for high-security environments)
• 0 = disabled (not recommended for security)

Timeout range: 1-599940 seconds
Recommended: 900 seconds (15 minutes)

Enter your chosen value and click "OK" to save the setting. The policy will now show as "Enabled" in the security options list.

Close the Group Policy Management Editor and return to GPMC. Link your configured GPO to the appropriate OUs containing your target workstations.

Right-click the target OU and select "Link an Existing GPO," then choose your "Workstation Security - Session Locking" policy from the list.

For PowerShell linking:

New-GPLink -Name "Workstation Security - Session Locking" -Target "OU=Workstations,DC=yourdomain,DC=com" -LinkEnabled Yes

Replace the target path with your actual OU distinguished name. You can link the same GPO to multiple OUs if needed.

Link Order: If multiple GPOs apply to the same OU, ensure your session locking policy has appropriate precedence. Lower numbers have higher priority.

Apply the new policy immediately rather than waiting for the default 90-minute refresh cycle. Run this command on target workstations or from a central management system:

gpupdate /force

For remote updates across multiple computers, use PowerShell:

Invoke-GPUpdate -Computer "Workstation01","Workstation02" -Force
Invoke-GPUpdate -RandomDelayInMinutes 0 -Force

The RandomDelayInMinutes parameter prevents all computers from updating simultaneously, reducing network load.

For domain-wide updates targeting specific OUs:

Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=yourdomain,DC=com" | ForEach-Object { Invoke-GPUpdate -Computer $_.Name -Force }

Verify the policy works correctly on target workstations. Log into a test machine and leave it idle for your configured timeout period.

Monitor the session behavior:

1. Log into a target workstation
2. Note the current time
3. Leave the workstation completely idle (no mouse movement or keyboard input)
4. Wait for your configured timeout period
5. Observe automatic session lock activation

Check the Windows Event Log for session lock events:

eventvwr.msc

Navigate to Windows Logs → Security and look for Event ID 4800 (workstation locked) and 4801 (workstation unlocked).

For PowerShell event checking:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4800} -MaxEvents 10

Some workstations may require different timeout settings or complete exemption from automatic locking. Configure security filtering to control policy application scope.

In GPMC, select your session locking GPO and navigate to the "Scope" tab. Under "Security Filtering," you can add or remove security groups to control which computers receive the policy.

Create a security group for exempt computers:

New-ADGroup -Name "SessionLock-Exempt" -GroupScope Global -GroupCategory Security -Path "OU=Security Groups,DC=yourdomain,DC=com"

Add computers to the exempt group:

Add-ADGroupMember -Identity "SessionLock-Exempt" -Members "WORKSTATION01$","WORKSTATION02$"

In the GPO's Delegation tab, add the exempt group with "Apply group policy" permission set to "Deny." This prevents the policy from applying to group members.

Alternative approach: Create separate GPOs with different timeout values for different computer groups, providing more granular control.

Establish monitoring procedures to ensure consistent policy application across your environment. Use Group Policy Results and Modeling tools for troubleshooting.

Generate Group Policy Results for specific computers:

gpresult /h C:\GPReport.html /f

This creates a detailed HTML report showing all applied policies and their sources.

For remote computer analysis:

Get-GPResultantSetOfPolicy -Computer "Workstation01" -ReportType Html -Path "C:\Reports\Workstation01-GP.html"

Common troubleshooting steps:

• Verify OU membership and GPO linking
• Check security filtering and delegation settings
• Confirm network connectivity to domain controllers
• Review Windows Event Logs for Group Policy errors
• Test with different user accounts

Use Group Policy Modeling to predict policy application before deployment:

Invoke-GPUpdate -Computer "TestWorkstation" -RandomDelayInMinutes 0