I am setting up a network for a client that will run 2003 Server as a Domain Controller, with XP Pro client workstations. I have been asked to set each users "Idle session limit" to 1 hour. By session, I mean Domain login time. So basically, if a user is inactive on the domain for a period of 1 hour, then they will be disconnected from it. I immediately assumed this was done in AD Users and Computer under the Sessions tab in a users properties. I then found out that this is for Terminal Service clients session limit. So my question is. How can I kick a user off of the domain after an inactive period of 1 hour? Is this even possible? I express my gratitude ahead of time for any help. Thanks..
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Session limit in 2003 server (non-terminal services)
- Thread starter DoahMonty
- Start date
There may be a way of doing this, not too sure. But you can have the PC locked after one hour using group policy. Under User Configuration > Administrative Templates > Control Panel > Display set the following settings
Screen Saver - Enabled
Screen Saver executable name - logon.scr (double check to make sure this file exists in the %systemroot%\system 32 directory first
Password protect the screen saver - Enabled
Screen Saver Timeout - 3600 (that's one hour in seconds)
Not perfect, but hopefully this can help you out? Good Luck ;-)
Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
Screen Saver - Enabled
Screen Saver executable name - logon.scr (double check to make sure this file exists in the %systemroot%\system 32 directory first
Password protect the screen saver - Enabled
Screen Saver Timeout - 3600 (that's one hour in seconds)
Not perfect, but hopefully this can help you out? Good Luck ;-)
Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
- Thread starter
- #3
Uhm... I'm not sure if this will help my issue. I should have been more descriptive. I need this automatic logoff to occur after an inactive period of 1 hr to eliminate the running out of CAL's. If the users leave their machines on at the end of the day, and another office connects via the VPN the next morning, there will be no CAL's for them to logon to the domain. Thanks for your reply.
No ... my suggestion is pretty useless then isn't it !! However, check out the following link.
If you just use my GPO settings and replace logon.scr with winexit.scr then you should be there. Of course you'll have to copy the file to all your client PC's for this to work - or else specify a UNC to the file instead. But maybe it would just be best to restict the logon hours on the user accounts and then say log them off if they over the logon hours? That way users can go to meetings etc during the day without the risk of being forcefully logged off their PC's?
Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
If you just use my GPO settings and replace logon.scr with winexit.scr then you should be there. Of course you'll have to copy the file to all your client PC's for this to work - or else specify a UNC to the file instead. But maybe it would just be best to restict the logon hours on the user accounts and then say log them off if they over the logon hours? That way users can go to meetings etc during the day without the risk of being forcefully logged off their PC's?
Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
- Thread starter
- #5
![[peace]](/data/assets/smilies/peace.gif "[peace] [peace]")
First thing we should probably discuss, and I'm guessing on this one, is you have device CALs, correct?
Anyway, this is from Microsoft:
at this website:
From what I am gathering from the 3rd "bullet", your solution doesn't really fix this issue. Your solution makes no mention of how you would support additional devices, even if the others are not accessing at that time.
Anyway, this is from Microsoft:
Code:
Per User or Per Device Mode
Per User/Per Device mode is defined as follows:
•
A separate Windows CAL (of either type) is required for each user or device that accesses or uses the server software on any of your servers.
•
The number of Windows CALs required equals the number of users or devices accessing the server software.
•
If you choose this licensing mode, your choice is permanent. You can, however, reassign a Windows CAL from one device to another device or from one user to another user, provided the reassignment is made either (a) permanently away from the one device or user or (b) temporarily to accommodate the use of the Windows CAL either by a loaner device, while a permanent device is out of service, or by a temporary worker, while a regular employee is absent.
Per User/Per Device mode tends to be the most economical designation for Windows CALs in distributed computing environments where multiple servers within an organization provide services across most devices or users.
Note that Per User/Per Device mode replaces Per Seat mode, used in previous licensing models.at this website:
From what I am gathering from the 3rd "bullet", your solution doesn't really fix this issue. Your solution makes no mention of how you would support additional devices, even if the others are not accessing at that time.
- Thread starter
- #7
Uhm.. Perhaps I am confused then... I have a Windows 2003 Server with 25 CAL's.. Cant remember if I chose per user or per device during setup, but I thought either way I am allowed to have 25 "connections" to my server because that is all the CAL's will allow. Perhaps it would be easier to talk my boss into another lot of CAL's. lol. That would surely rectify the problem. Am I correct in my assumption about how CAL's work. From what I see in your post I believe I am, but not sure. I thought the second a user logged off of the domain, then a CAL would become available because it is no longer being used..... No? I appreciate any/all help on this matter. ![[pc]](/data/assets/smilies/pc.gif "[pc] [pc]")
TwistedAdmin
IS-IT--Management
As was mentioned above... you can follow the link below to download the Windows 2003 Server Resource Kit which contains Winexit.scr
Once downloaded and run, you'll find the file in
C:\Program Files\Windows Resource Kits\Tools
Right-click on Winexit.scr and select Install. This will make the "Logoff Screen Saver" available in the list of screen savers under Display properties.
Once selected, you can then mod the settings to 'Force Application Termination' as well as a countdown for 'Time to logoff'. If you set the screen saver to a period of 180 minutes (3 hours), I think that should do the trick for you.
And, also as mentioned above, instead of installing on each individual machine, you can drop the two files (winexit.scr and winexit.hlp) into a shared folder on the server with appropriate permissions.
Another option, again as mentioned above, but with a little more detail, is to establish logon hours in AD Users & Computers. Use this judiciously so you're not affecting users who may actually need to be logged in 'after hours'.
Once you have the desired accounts configured, go to Domain Security Policy\Local Policies\Security Options and find the 'Microsoft Network Server: Disconnect clients when logon hours expire' and set it to enabled.
And lastly, you can always resort to using the Windows XP Scheduler to execute Shutdown.exe -l at a specified time each weekday.
HTH,
TwistedAdmin
[ A+ Certified, Net+ Certified ]
"Old men are always young enough to learn."
~ Aeschylus
Once downloaded and run, you'll find the file in
C:\Program Files\Windows Resource Kits\Tools
Right-click on Winexit.scr and select Install. This will make the "Logoff Screen Saver" available in the list of screen savers under Display properties.
Once selected, you can then mod the settings to 'Force Application Termination' as well as a countdown for 'Time to logoff'. If you set the screen saver to a period of 180 minutes (3 hours), I think that should do the trick for you.
And, also as mentioned above, instead of installing on each individual machine, you can drop the two files (winexit.scr and winexit.hlp) into a shared folder on the server with appropriate permissions.
Another option, again as mentioned above, but with a little more detail, is to establish logon hours in AD Users & Computers. Use this judiciously so you're not affecting users who may actually need to be logged in 'after hours'.
Once you have the desired accounts configured, go to Domain Security Policy\Local Policies\Security Options and find the 'Microsoft Network Server: Disconnect clients when logon hours expire' and set it to enabled.
And lastly, you can always resort to using the Windows XP Scheduler to execute Shutdown.exe -l at a specified time each weekday.
HTH,
TwistedAdmin
[ A+ Certified, Net+ Certified ]
"Old men are always young enough to learn."
~ Aeschylus
If you're configured for per-user, you have to have one CAL for each user in AD. NOT EACH USER CURRENTLY LOGGED ON.
Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
Want to know how email works? Read for yourself -
Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
Want to know how email works? Read for yourself -
My understanding of this is 58sniper's suggestion of the CAL's being for each user is spot on. For devices, I believe it is the same. If you wanted to remove the devices from the domain each time your looking at a lot of fun. From what I read in the article above, you won't be able to add back into the domain (I know you can get around this one though):
- Status
Similar threads
- Locked
- Question
- Locked
- Question