Allow Administrator to Force User Logoff?
-
Donnerstag, 24. Februar 2011 13:42
My organization is using a combination of Windows XP and Windows 7
workstations in an ActiveDirectory domain. By policy, we do not permit
fast user switching; no more than one person may be logged in to a
workstation at a time.We also have a problem of users walking away (distracted by multiple
tasks or situations requiring immediate response, not deliberate
abandonment) from the workstation and neglecting to log off. Education
is ... less than optimally effective. We have the system set so that if
the workstation goes idle, it locks, and requires the user to provide
their domain credentials to unlock the workstation.On the Windows XP workstations, we can also provide an administrator's
credentials, and this will force the locked user to be logged off,
losing any open work, but not "crashing" anything.On the Windows 7 workstations, we do not appear to have this option; we
must either have the user unlock the workstation - not always possible -
or "crash" the workstation (hard power-off and reboot). This is less
than entirely satisfactory. Is there a way to set the Windows 7
workstations to behave as the Windows XP workstations do, and allow an
administrator to supply his own credentials to force the locking user to
be logged off?
-- Jeff Zeitlin
Alle Antworten
-
Donnerstag, 24. Februar 2011 15:55
Offhand the only possible option I would see would work on a stand-alone workstation since you can't use the classic logon in a domain environment. You can use a "shutdown -L -F" for example "shutdown -m \\%computername% -L -F" to send a logoff command remotely to the workstation in question.
The GPO you are configuring I am guessing is "Hide entry points for Fast User Switching" The question that comes to mind is what is the reason you are trying to disable fast user switching? To save resources in case too many users are on one workstation or something else?
If that is the GPO you are configuring it isn't disabling the functionality, it is simply hiding it from being used, and if there is a security concern with the fast user switching capability I don't think this would necessarilly alleviate that.
- Bearbeitet Poltergheist Donnerstag, 24. Februar 2011 15:57 added a bit of info
-
Freitag, 25. Februar 2011 10:38Moderator
Hi,
Please check whether the following link helps:
Use the Remote Shutdown Tool to Shutdown, Restart, or Logoff a Local or Networked Computer
http://maximumpcguides.com/windows-vista/use-the-remote-shutdown-tool-to-shutdown-restart-or-logoff-a-local-or-networked-computer/Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If not, please describe your requirements more detail.
Thanks.
Nina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Sonntag, 27. Februar 2011 02:50
On Thu, 24 Feb 2011 15:55:51 +0000, Poltergheist wrote:
Offhand the only possible option I would see would work on a stand-alone workstation since you can't use the classic logon in a domain environment. You can use a "shutdown -L -F" for example "shutdown -m\\%computername% <file://\\%computername%> -L -F" to send a logoff command remotely to the workstation in question.
This matches the information in the link that Nina Liu mentioned in the
message after yours in the thread; however, that link appears to
indicate that -m and -l cannot be used together - whereas that
combination, as you suggest above, is exactly what I appear to want.
Admittedly, the linked article talks about Vista, rather than Windows 7,
and perhaps it's changed, but... can anyone verify whether the
exclusion still holds (I'm on vacation this week, and don't have access
to an environment to test)?The GPO you are configuring I am guessing is "Hide entry points for Fast User Switching" The question that comes to mind is what is the reason you are trying to disable fast user switching? To save resources in case too many users are on one workstation or something else?
The resource issue is the primary issue, yes - user account security is
a concern, but our own administrative procedures work against us, and
users do share their credentials. Again, education is less than
optimally effective, largely because of our own administrative
procedures for dealing with forgotten passwords or transferring a user's
credentials into a different container (and different set of groups for
policy applications).I'm not sure, specifically, what the policy being set is - I'm not
involved at that level; I'm what Novell used to call a 'workgroup
administrator' rather than being a server administrator. I have some
elevated privileges with respect to administration, but I don't have the
kind of carte blanche on servers that I essentially do on workstations,
or that the actual server administrators have on servers.If that is the GPO you are configuring it isn't disabling the functionality, it is simply hiding it from being used, and if there is a security concern with the fast user switching capability I don't think this would necessarilly alleviate that.
Again, I'm not involved at that level - I'm simply trying to work with
what I'm dealt; and with the policy in place, I'm looking for a way to
force the workstation user to be logged off by an administrator, in
preference to crashing the workstation for a reboot.
-- Jeff Zeitlin -
Sonntag, 27. Februar 2011 05:06 There is no simple solution for your situation. The easiest thing would be a thin client infrastructure and smart cards authentification. But I am also sure this is not what you are looking for, now. As long as users will share a computer, there will be always problems. You can use this logoff screensaver for Windows 7 to end sessions that are idle for a certain amount of time.
- Als Antwort markiert Nina Liu - MSFTModerator Dienstag, 8. März 2011 02:16
-
Sonntag, 27. Februar 2011 06:20in our domain we do not have this symptom. I can logon with my admin_id and then choose to shut down the workstation, forcing out the abandoned user session. both for XP & Win7. but we don't have a need to inhibit "fast user switching" (by which i think you mean something i call exclusive console session).
Don -
Sonntag, 27. Februar 2011 06:23another thought.. you may be affected by a policy relating to "deny_powerdown_without_logon"? this (in conjunction with other settings) might be leading you to the crash-out-by-poweroff?
Don -
Dienstag, 6. März 2012 08:58
You should give a look to UserLock Jeff.
Among other features, this 3rd-party solution will allow you to remotely lock or logoff any session (even sessions with local accounts), either from the administration console or the Web interface.
A fully-functional trial is available here.
François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com
- Bearbeitet François Amigorena Dienstag, 6. März 2012 09:17
-
Freitag, 23. November 2012 15:57Hi Jeff. Did you ever figure out a way to make Win7 mimic the "log on as an admin to force logoff a locked computer" feature (that I love) in Windows XP? I'm facing the same dilema right now, and have the same kind of users you do haha.
-
Montag, 26. November 2012 12:43> Hi Jeff. Did you ever figure out a way to make Win7 mimic the "log on> as an admin to force logoff a locked computer" feature (that I love)> in Windows XP? I'm facing the same dilema right now, and have the> same kind of users you do haha.As long as you didn't disable fast user switching, you can always changeuser and logon with your admin, then (through task manager) logoff otherusers. If you disabled user switching, sadly you need to reboot...
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
.png)
.png)
