Force User Logoff when Time Expires

[crazyadmin]

I have a Windows NT 4.0 Domain with all Windows 2000 Pro workstations. I need to force the workstations to logoff users when their logon time expires. Does anyone know how to set this up?
I have checked the box in User Manager that says "Forcibly disconnect remote users from server...." but this only logs in the event log that their time has expired. That and they get a pop up message, but there is nothing that forces their system to log off that I can find.
Please help.

CraZyAdmin

 

[tahoe2]

I think I got this from the Tech-net site when I needed the info, hope this helps!

Network security: Force logoff when logon hours expire.

This setting affects the Server Message Block (SMB) component.

When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire.

If this policy is DISabled, an established client session is allowed to be maintained after the client's logon hours have expired.


You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Note

This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers.


Corie

 

[crazyadmin]

Thanks tahoe, but it looks like that article only applies to Windows 2000 domains as I cannot find those options on my NT 4.0 DC. Do you have the article number, maybe it would help me with my search.

 

[tahoe2]

In NT 4.0 server under Administrative tools, choose 'SYSTEM POLICY EDITOR', click on file and choose 'connect'. Type in the PC you want to administer, then the policies will be listed.

Hope this helps!

Corie

 

[crazyadmin]

Thanks, I was able to connect to a computer, but I cannot seem to find anything about forced logoff. Do you think I need another Policy template to see that option. I am running poledit from an NT4 server.

 

[tahoe2]

OK, once you connect to the remote PC, double click on the computer icon and choose 'WINDOWS NT REMOTE ACCESS'.
Check the box next to 'auto-disconnect' and a pull-down menu activates at the bottom of the screen where you set the time limit.

Corie

 

[crazyadmin]

How does that pertain to logon hours? I was under the impression that was only for remote access such as VPN.

 

[tahoe2]

Since my users all use their same PC every day, I had the user log in, then connected to their PC and set the individual PC policy WINDOWS NT REMOTE ACCESS to 480 minutes, and the PC automatically logs them out exactly 8 hours after they log in, no hassles. (even on the W2000 PC's)

This worked just fine for my NT network, and we don't have a VPN.

Corie

 

[jek38]

In case you have not already found this out, the domain "logon hours" option does not actually logoff the account, it simply disconnects the account from any connected network resource (mapped drives, etc). Which may be what you want, but it does not force the userid to logon to the domain again when the hour(s) are past.

 

[tahoe2]

No I didn't know that. For whatever reason, my users get booted completely when their hours expire. Could it be that the 'network resource' you are talking about is the network itself?

Corie

 

[crazyadmin]

Yea, that is my problem, I have the hours set and my security on the domain controller is set to disconnect users. I just cannot find a way in NT4 to have it log off the users on workstations.

 

[tahoe2]

I was messing around in User Manager and when I highlighted a user and clicked on 'POLICIES' then chose 'ACCOUNT POLICY', there was an option at the bottom of the screen that says 'Forcibly disconnect remote users from the server when their logon hours expire.'

Now, this was checked on my system, so maybe thats what forces my users to disconnect...

 

[Shadow38x]

We've had a problem that has recently come up that might be related to this topic. I have a workstation that is left running through the night. Lately, when I go to this workstation in the morning, it will run our tracking software but will not print reports from the software until I reboot the workstation.

It seems as though the NT Server is restarting itself, almost as if on a scheduled basis. When I go to the server, instead of showing the Server interface, I'm greeted with a "Press CTRL+ALT+DEL to log on" message.

Once the server has restarted, the workstation can still see the server drives, but it loses its connection to the printer. There are no forced logoffs in place for the workstation. Any idea what might be causing the server to restart itself on a daily basis? This has never been a problem before, and as far as I know, no one has changed any server settings. I've looked through various settings on the server, and can't find any regarding a periodic scheduled restart. Help!

 

[tahoe2]

right click on the 'my computer' icon and choose properties, then choose the 'startup/shutdown' tab and make sure the 'automatically reboot' box is UNCHECKED. That way, if it's crashing, you will see the crash screen, and can go from there.
Are there any clues in the event log?

Hope this helps,
Corie

 

[Shadow38x]

This is an old NT server that doesn't have a "My Computer" icon as far as I can tell. Is there another way to access the "startup/shutdown"?

 

[tahoe2]

Sure, just click START> SETTINGS> CONTROL PANEL and double click SYSTEM. That brings up the same properties window of the MY COMPUTER icon.

Corie

 

[Shadow38x]

This just doesn't exist on this old NT server software. I was going to try to find it on one of the workstations running Windows 98, but didn't see it there either.

 

[tahoe2]

What doesn't exist, the start button, the settings panel, the control panel or the system icon?
Here's another way to open it;
Click START>HELP, and look up startup>default hardware profile.
You don't want to change the default hardware profile, but there is a shortcut to SYSTEM PROPERTIES in this particular help window.
Go from there, and let us know what happens.

 

[jcastaldo]

The Group Policy solution appears to disconnect the user from the network, but not actually log the user off of the machine.

I work in a school, and need to make sure that when a user leaves a machine, he/she is logged out of windows.

I used the winexit.scr screen saver from the windows 2000 professional resource kit to accomplish the task. (I'm actually testing it, but it appears to work.)

See Microsoft Knowledge Base Article - 156677

Though it is possible to modify the registry setting of each computer, as well as manually copy the screen saver, I used active directory to modify the registry settings outlined in the KB article above, and I used a batch script to copy the screen saver to the workstations.

If anyone else has experience with this, or if you try it out and like the way it works, please send a response.