There aren’t a lot of descriptive articles about people having the same problem, so I thought I would contribute my own experience and workaround for distributing power management settings to Windows XP Pro computers in a Windows 2003 Server AD environment when users from multiple domains are involved. This is not really elegant, but it works. There might be a better way to do it through other GPOs, but as you’ll see, I’m kind of a newb…
The Business Instructional Facility (BIF) houses a multi-classroom lab known as the Markets Information Laboratory (MIL). The MIL consists of two classrooms and a small lab area. There are about 60 computers in the MIL, with about half of them being dual-monitor setups. Ten of them are in the area between the two classrooms and are used as a general lab. Since BIF is the campus’ first “green” building, we are trying to implement as many power saving techniques as plausible.
One note: my group was not responsible for the initial image used on these computers. We have since been assigned the task of managing the computers in the lab, but there are some flaws in the image that have caused the current issues. These will be reimaged before the Fall semester, so this workaround may no longer be necessary.
I should also note that the computers in this lab are members of the CBA domain run by the Office for Information Management in the College of Business. The CBA domain has a one-way trust with the UIUC domain maintained by CITES at the University of Illinois. This trust relationship allows students to log into CBA domain computers via their UIUC AD accounts, rather than creating redundant accounts on our domain.
The problem I was tasked with resolving is a power management issue related to the monitor standby setting. Our group noticed that some of the computers go to screen saver and some go to standby. Since we are trying to save power, I was tasked with getting them all to go to standby.
When this issue first came up at the beginning of the semester, I got the CS grad student who was being paid as a lab monitor (and also happened to create the lab image) to try some tweaks to fix the problem. These included running a .reg file to modify the registry for a user when they logged in, which didn’t work properly.
After a lot of investigation, I determined the following:
- All computers in the lab have the screen saver disabled for all users.
- All computers have monitor standby set to start after 10 minutes of inactivity for local administrator accounts.
- The default user profile sets the monitor standby for new users to Never.
- When a user’s power management settings tell the monitor to never go into standby mode and the screen saver is disabled, the screen saver starts after 10 minutes anyway.
- The power management settings from the last logged in user are still in effect after reboot, so a computer that is rebooted and sitting at the logon screen will follow those settings (not those of the default user or any other default settings).
The idea that was initially given to me by my boss worked on the assumption that these initial settings were pulled from the default user profile and that if I copied a user profile with correct settings to the default user profile, it would fix the issue after reboot. I made the mistake once of copying an administrator-level profile to the default user profile with disastrous results. I logged into my UIUC AD account, as I knew that this account would have the same user permissions as all of the students who logged in. I went to set the correct power management settings only to find out that I wasn’t able to modify them through the power management GUI. This was sort of a relief, as I didn’t really want to do this on every computer in the lab.
Next, I looked into managing these settings via Group Policy. Windows Vista has power management via Group Policy Object built into it, but Windows XP does not support this functionality. The U.S. government has released a GPO that works with Windows Server 2003 Active Directory to control Windows XP Pro power management settings. It is supposed to work with Windows 2000, as well, but I did not test that. This is Energy Star’s EZ GPO. There is also a client which has a .msi installer that must be installed on the Windows XP/2000 computers. The FAQ says that you may have to reboot several times after installing the .msi for the client to take effect.
To configure EZ GPO, I decided to use the Administrative Template for Computer Configuration, as all of the computer objects for these computers are in a single OU. The user accounts are spread between multiple domains and I do not necessarily want the settings to effect computers outside of this lab, so a Computer object GPO meets my needs. Initial testing showed that this GPO worked well for both local accounts and CBA accounts on my local computer. I could modify the number of minutes before monitor timeout in the GPO, reboot, log in, and watch the change take effect. I hit a roadblock when I tested my UIUC AD account, however. The GPO failed for users in the UIUC domain, in spite of the settings within the GPO that told it to always override the user’s power management settings. I tested this with an account that already had a profile on the machine (my own AD account) and with a new profile (a co-worker logged into the machine after the GPO was in place) and neither took on the settings of the GPO.
I think that the EZ GPO would be useful in a single domain environment, but it just didn’t work for this lab. I also think that if I knew more about pushing installers out via GPO, I would be very likely to use it for some other areas in the College of Business…a project for the backburner, I suppose.
I’m fairly inexperienced with creating Group Policies, as I did not have anything to do with Group Policy creation or manipulation when I worked for CEE, but I’ve been trying to get used to using it with CBA. I started working with it a bit in December to restrict settings on the computers in the BIF classrooms. For those, we have a single user account, in addition to each of the computer objects. Since that user account is only used for those classroom computers, the GPO restrictions could be put in place for the user account and not the computer account.
From my investigation over the winter, I knew that ther User Configuration portion of GPO had sections for logon/logoff scripts and that the Computer Configuration portion had sections for startup/shutdown scripts. I remembered investigating the powercfg.exe command line utility when I was looking into the fix a few months ago (when the grad student was supposed to fix it), so I started going through the command line flags for it. I wrote a one-line batch file that contained the following line:
powercfg /change “Home/Office Desk” /monitor-timeout-ac 10
I had various ideas about how to execute this batch file, such as adding it to the Run Once key for new profiles created from the default profile. The problem kept coming back to “How do I get this to execute both for newly created profiles AND users who have already created profiles?” The idea I settled on was to add this batch file to the All Users Startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup\) and have it execute every time the user logged in.
As an aside, I’ll note that these computers are all set to use the “Home/Office Desk” power scheme as the default, but if I wasn’t sure which scheme was in use, I could make multiple lines, each containing the name of a different scheme…or create a new scheme with this setting and set it active, like so:
powercfg /create “MIL Lab Settings”
powercfg /change “MIL Lab Settings” /monitor-timeout-ac 10
powercfg /setactive “MIL Lab Settings”
I do not know how Windows would handle these commands if the name of the scheme (MIL Lab Settings) already existed, so this might throw errors after the first time it is run for a single user.
I copied this batch file to my test machine and it worked. I tried to copy the batch file to each of the machines in the lab, but found that the administrative shares are unreachable. While this is probably a good thing for security purposes, it makes propogating this batch file a pain in the ass.
I decided, on a whim, to pop open the GPO I had been playing around with when I was working on the EZ GPO Administrative Template. I started clicking on the + signs next to each category under Computer Configuration (again, because of the multi-domain restrictions and not wanting to affect logins for non-lab machines) and found exactly what I needed…a logon template. If you open Computer Configuration->Administrative Templates->System->Logon, there is a template called “Run these programs at user logon.” I enabled this template, copied my batch file to our network file server, gave Everyone permission to read/execute the file, and added it to the list of files that would be run at logon. I rebooted my test machine and logged into my UIUC AD account. The batch file worked. I modified the monitor timeout setting in the batch file, logged out/in, and it changed the setting again. I tested my CBA account…success! I tested the local administrator account…fail! I logged into my UIUC account, let the monitor go to sleep, rebooted, and watched the logon screen. The monitor went to sleep when it was supposed to do so. The local administrator accounts on these computers have the settings from the initial image, which are the same settings we want, so I’m really not worried about that. The odds that anyone will log into the local administrator account are fairly slim, as that password is only known to two people, both of whom typically use their own CBA AD accounts for administration purposes.
I weighed the fact that it does not work on local accounts versus the fact that it works with all of the accounts we’re worried about and decided to proceed. I emailed three people in my group to see if they found any flaw in my method or reasoning. The only concern that was raised was the default user profile and how it affected the computer’s power management settings when a computer had been rebooted, but I told them about my findings with regards to the settings of the last user logged in affecting the initial startup settings. I was given the green light to deploy my GPO to the entire lab, which is exactly what I did this afternoon. I’ll update this if there are any issues.
The beauty of this method is that it is very simple for me to modify the monitor timeouts or add in other power settings in the future. All I have to do is modify my .bat file, add in lines for settings we want to test, and they get propogated with the next logon. I’m happy that this is finally done!