Forcing Users to Log Off

[nicksa82]

Hello,

I'm trying to enable a way to force users to log off when time expires in an Active Directory environment. We are running the latest AD on Windows 2003 Servers.

I have already tried enforcing this policy through Group Policy's and have had no luck. I did some research online and came across numerous articals that have lead me to the same point.

I have tried almost everything I can think of maybe someone here has some ideas?

Please help.

Thanks,
Nick
Network Admin.

 

[nicksa82]

Oh and one more thing:
We simply have logon hours edited for users to only be able to logon during certain hours. If the user somehow forgets to log off of the machine, then we want AD to automatically log off the user when their time limit is up. Currently it disconnects them from Network shares but they stay logged onto the machine.

 

[ctsolutionsbiz]

I'm in the same situation. I find it hard to believe that MS has never seen fit to give admins the ability to force automatic logoff from Windows after X minutes of inactivity or at a certain time. I understand that people would find it irritating if they lost unsaved documents, but I'm confident they would learn to save their work before getting up from their stations. Anyone know third party software that works well for this?

 

[ChicagoTechNet]

I wish you posted the results of your reseach online and shared them with us. Any way, I believe MS 2000 resource kits come with some tools such as logoff.exe and cconnect.exe.

For more tips or information, go to

http://www.ChicagoTech.net

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[nicksa82]

CCONNECT is used for Concurrent logons.

The Winexit.exe sounded like it would have been the best route, except for the fact that we wanted to apply it to such a dynamic and ever changing Directory.

Applying it through GPO sounds like a good route as well except for the fact that you couldn't specify certain screensaver settings through the policy.

Nick

 

[markdmac]

This should be a fairly easy thing to do.

1. Set the logon hours for your users in Ad Users and Computers. Click the Account tab and then the logon hours button.

2. At the domain level create a GPO or edit the default one. Navigate to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.

There you will find a policy element:
Automatically log off users when logon time expires

there is also a policy element:
Automatically log off users when logon time expires(local) in case you have set logon restrictions in the workstation security database too.

Save the policy, allow it to replicate between DCs and then force the policy to update on your workstations.

For Win2K run this command:
secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce

For WinXP run this command:
gpupdate /enforce

You should note that I believe these settings will only work if your Domain is in Native Mode.