BasilFawltytoo
IS-IT--Management
Can I force a user to logout after a period of inactivity? We can't get people to do it through training and persuasion, so I'd like to boot 'em off the network after 5 mins of inactivity.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Force Logout after inactivity
- Thread starter BasilFawltytoo
- Start date
- Status
francisdela
Technical User
Edit the group policy for the domain, there is a setting in there that allows you to do what your asking
- Thread starter
- #3
BasilFawltytoo
IS-IT--Management
I realize this may sound dumb, but how do I do that? I've never really used Active Directory and I'm assuming it's in there somewhere.
- Thread starter
- #4
BasilFawltytoo
IS-IT--Management
Ok, got it. I'm assuming this is the 'sessions' tab in a users properties. I could also create an OU to apply this to a bunch of people I think.
First understand that group policy is something you can apply at different levels of active directory. Policies can be applied at the local level, site level, domain level, organizational level, and sub organizational level (an OU inside an OU) and they will be applied in that order, overwritting settings in previous policies if they are defined in the later policy. You have 3 default group policies already applied... local, domain, and domain controller (domain controller OU). A policy applied to an OU will only affect the users or computers in that OU (users or computers, not groups). So... since you have you have domain controllers in the domain controllers OU by default, the policy applied to it will only affect those domain controllers. To access the domain group policy, open active directory users and computers, right click your domain name and select properties. You will see a group policy tab. Click it. You will see the default domain group policy as well as other policies created at the domain level. You can edit your default policy or create an additional policy and then edit it. Exit that and right click your Domain Controller's OU (folder), select properties. Click the group policy tab. See the default domain controller's policy? The only policy not stored in active directory is the local policy which is stored locally on each and every computer (use the MMC snappin to get at local policy).
Rather than bouncing around active directory to edit Policies, you can use the MMC console (start, run, MMC) to work with your policies. Install the group policy snappin and pick your default domain policy. Install the group policy snappin again and select your default domain controller's policy. You can snap all your policies into this one console and save it. The properties of your domain and OU's will show you where policies are applied (Note: a policy can be applied to more than one OU if you desire).
As for the policies themselves, they are divided into two catagories... computer and user. All the compute policies apply ONLY to computer objects in active directory and user policies apply ONLY to user objects in active directory.
Since you are interested in automatically disconnecting computers if they are idle, you might want to apply that to all your users and computers except the domain controllers. There is a way to do this at the domain level. Create a new domain policy (I wouldn't use an existing policy with this method) to do what you want. Enable advanced view in active directory. Now go back to the policy, highlight your new policy and select the properties tab. A security tab appears in the properties because you are in advanced view. In the security, add your domain computers to the access control list shown. Highlight the domain controller you add and at the bottom DENY the apply group policy. Do this for all the controllers. Now the policy will apply to all in the domain but the policy will be denied to your domain controllers. You don't want them to disconnect if idle.
There's alot of settings in group policy. I haven't seen one that specifically sets a computer to log off if idle. If you don't find one, a workaround for this might be using group policy to force clients to use a program as it's default screen saver and the program can be capable of disconnecting users after a set time... or setting a task in the task scheduler that disconnects and shuts down at the end of the work day (allow for overtime).
Rather than bouncing around active directory to edit Policies, you can use the MMC console (start, run, MMC) to work with your policies. Install the group policy snappin and pick your default domain policy. Install the group policy snappin again and select your default domain controller's policy. You can snap all your policies into this one console and save it. The properties of your domain and OU's will show you where policies are applied (Note: a policy can be applied to more than one OU if you desire).
As for the policies themselves, they are divided into two catagories... computer and user. All the compute policies apply ONLY to computer objects in active directory and user policies apply ONLY to user objects in active directory.
Since you are interested in automatically disconnecting computers if they are idle, you might want to apply that to all your users and computers except the domain controllers. There is a way to do this at the domain level. Create a new domain policy (I wouldn't use an existing policy with this method) to do what you want. Enable advanced view in active directory. Now go back to the policy, highlight your new policy and select the properties tab. A security tab appears in the properties because you are in advanced view. In the security, add your domain computers to the access control list shown. Highlight the domain controller you add and at the bottom DENY the apply group policy. Do this for all the controllers. Now the policy will apply to all in the domain but the policy will be denied to your domain controllers. You don't want them to disconnect if idle.
There's alot of settings in group policy. I haven't seen one that specifically sets a computer to log off if idle. If you don't find one, a workaround for this might be using group policy to force clients to use a program as it's default screen saver and the program can be capable of disconnecting users after a set time... or setting a task in the task scheduler that disconnects and shuts down at the end of the work day (allow for overtime).
- Thread starter
- #6
BasilFawltytoo
IS-IT--Management
Wow. Thanks for the info Seaspray0. That should keep me busy!
Seaspray, can I ask another question on this posting? Is it possible to set time-out settings for disconnection on web wsession windows users leave at the bottom of their screens? I would like to log off unused open web site sessions after say 5 minutes of inactivity.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question