Microsoft KB Archive/915160

= How to use Powercfg.exe to create a Group Policy object for power schemes in Windows XP =

Article ID: 915160

Article Last Modified on 9/28/2007

-

APPLIES TO


 * Microsoft Windows XP Professional

-





INTRODUCTION
This article describes a step-by-step process for how to use the Powercfg.exe file in Microsoft Windows XP to create a power schemes Group Policy in a domain environment.



MORE INFORMATION
By default, users who do not have administrator rights and permissions cannot change power scheme settings. The power schemes program changes both per-user and per-machine settings. To change the per-machine settings, you must have administrator rights and permissions. Failure to set the per-machine settings prevents the per-user settings from being committed.

Therefore, if you are a user who does not have administrator rights and permissions, and you try to use the power schemes program in Windows XP to change the power scheme settings, you receive the following error message:

Power Policy Manager unable to set active policy. Access is denied.

Create a Group Policy object to change power scheme settings
To create a Group Policy object to change the power scheme settings, follow these steps:  On the domain controller, copy the Powercfg.exe file to the NETLOGON share.  By default, the Powercfg.exe file is located in the \System32 folder on a Windows 2003-based computer. By default, the NETLOGON shared folder is located at \Sysvol\Sysvol\ \Scripts on a Windows Server 2003-based computer.  Click Start, click Run, type dsa.msc, and then click OK. This starts the Active Directory Users and Computers snap-in. In the Active Directory Users and Computers dialog box, right-click the domain container, and then click Properties. On the Group Policy tab, click New.</li> Type Power Configuration Policy, and then press ENTER.</li> Click Edit.</li> Under User Configuration, expand Windows Settings, and then click Scripts.</li> In the right pane, double-click Logon, and then click Show Files. The user’s \Scripts\Logon folder appears.</li> In the user's Scripts\Logon folder, create a new batch file that sets the power scheme settings on the user's computer. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click File, click New, and then click Text Document.</li> Type PowerConfig.bat, and then press ENTER.</li> In the Rename dialog box, click Yes.</li> Right-click PowerConfig.bat, and then click Edit.</li> If an Open File - Security Warning dialog box appears, click Run.</li>  Type the following commands in the batch file: @echo off net use x: \\domain_DNS_name\netlogon x: powercfg.exe /change &quot;always on&quot; /monitor-timeout-ac 20 powercfg.exe /SETACTIVE &quot;always on&quot; c: net use x: /delete Note The domain_DNS_name term that is used in the batch file is a placeholder for the DNS name of the domain controller. </li> Click File, click Exit, and then click Yes.</li></ol> </li> Close the Scripts\Logon folder.</li> In the Logon Properties dialog box, click Add, click Browse, double-click PowerConfig.bat, and then click OK two times.</li> Under Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Local Policies.</li> <li>Click User Rights Assignment, and then double-click Shut down the system.</li> <li>In the Shut down the system Properties dialog box, click Add User or Group, type the user's domain name and account name in the User and group names box, and then click OK two times.</li> <li>Under Computer Configuration, expand Windows Settings, expand Security Settings, and then click Registry.</li> <li>In the Group Policy Object Editor dialog box, click Action, and then click Add Key.</li> <li>In the Selected key box, type the following entry, and then click OK:

MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg

</li> <li>Click Add, type the user's account name in the Enter the object names to select box, and then click OK two times.</li> <li>In the Add Object dialog box, click Configure this key then, click Propagate inheritable permissions to all subkeys, and then click OK.</li> <li>In the Group Policy Object Editor, click Action, and then click Add Key.</li> <li>In the Selected key box, type the following entry, and then click OK:

USERS\.DEFAULT\Control Panel\PowerCfg </li> <li>Click Add, type the user's account name into the Enter the object names to select box, and then click OK two times.</li> <li>In the Add Object dialog box, click Configure this key then, click Propagate inheritable permissions to all subkeys, and then click OK.</li> <li>In the Group Policy Object Editor dialog box, click File, and then click Exit.</li> <li>In the domain container Properties dialog box, click OK.</li> <li>In the Active Directory Users and Computers dialog box, click File, and then click Exit.</li></ol>

Note The user must have the write permission for the following registry subkeys:

Note The first time that the user logs on to the user's computer, the policy will fail because the other rights and permissions have not taken effect. The second time that the user logs on to the computer, the policy is applied, and the user has permission to change the power scheme settings.

Configure user access to power settings
To deny permission to change the settings modified by the logon batch file, configure user access to the PowerCfg.cpl file. You can deny permission for the user to open the Power Options extension in Control Panel to view or to change the power settings. To do this, follow these steps:
 * 1) Click Start, click Run, type dsa.msc, and then click OK. This starts the Active Directory Users and Computers snap-in.
 * 2) In the Active Directory Users and Computers dialog box, right-click the domain container, and then click Properties.
 * 3) Under Computer Configuration, expand Windows Settings, and then click File System.
 * 4) In the Group Policy Object Editor dialog box, click Action, and then click Add File.
 * 5) In the Add a file or folder dialog box, type %SystemRoot%\system32\powercfg.cpl in the Folder box, and then click OK.
 * 6) Click Add, type the user's account name in the Enter the object names to select box, and then click OK.
 * 7) In the Permissions for user name access permission group, click to select the Deny check box for Full Control permission, and then click OK.
 * 8) In the Security dialog box, click Yes.
 * 9) In the Add Object dialog box, click Configure this key then, then click Propagate inheritable permissions to all subkeys, and then click OK.

<div class="references_section">