none
Network Security : Force Logoff when logon hours expire

    Question

  • Hi..

    We're trying to audit our Windows 2008 servers to see if all our Minimum Security Baselines are in effect.  We are able to get most of info needed from the registry or the rsop classes.. But we can't seem to find the Network Security : Force Logoff when logon hours expire for the life of us..  Anyone out in the cyber world know where I can find this setting in wmi object or registry for that matter??  Please help..

    Thanks..

    Monday, December 19, 2011 5:09 PM

Answers

  • Thanks for the quick reply guys, but I don't think I was very clear on my description of the problem...  I'm looking to query this information via power shell scirpts.. So I need to know which WMI class this info resides in.. I used    Get-WmiObject rsop_securitysettings -Namespace "root\rsop\computer"    and got most of the info i need.. But I can't find the info for the setting  Network Security : Force Logoff when logon hours expire   Can someone tell me which Wmi class I can look in to get this info??

    Thanks..


    You can only set it via a GPO on the Domain Controller.  You cannot set it by WMI.  If set it will be in RSOP computer/security network: settings.

    Run RSOP at the DC using GPMC console.  The instuctions are in the link.

    If the setting is not set then it will not show up in RSOP.  Only settings that are enabled show in RSOP.

    Get-WmiObject rsop_securitysettings -Namespace "root\rsop\computer" |
         ?{$_.Path -like '*ForceLogoffWhenHourExpire*'}

    This will only work after you have run RSOP and it will only work on a Domain Controller.

     

     

     


    jv
    Monday, December 19, 2011 9:27 PM

All replies

  • In Group Policy:


    Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options/Network Security : Force Logoff when logon hours expire


    ([string](0..9|%{[char][int](32+("39826578846355658268").substring(($_*2),2))})).replace(' ','')
    • Edited by Bigteddy Monday, December 19, 2011 5:23 PM
    Monday, December 19, 2011 5:23 PM
  • In Group Policy:


    Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options/Network Security : Force Logoff when logon hours expire


    ([string](0..9|%{[char][int](32+("39826578846355658268").substring(($_*2),2))})).replace(' ','')


    That forces a dsiconenct from the resource but does not log the user off from the workstaion.

    See: http://technet.microsoft.com/en-us/library/cc787251(WS.10).aspx

     Note that it must be defined in the Default Domain Policy to work correctly.

     


    jv


    • Edited by jrv Monday, December 19, 2011 5:36 PM
    Monday, December 19, 2011 5:28 PM
  • Thanks for the quick reply guys, but I don't think I was very clear on my description of the problem...  I'm looking to query this information via power shell scirpts.. So I need to know which WMI class this info resides in.. I used    Get-WmiObject rsop_securitysettings -Namespace "root\rsop\computer"    and got most of the info i need.. But I can't find the info for the setting  Network Security : Force Logoff when logon hours expire   Can someone tell me which Wmi class I can look in to get this info??

    Thanks..

    Monday, December 19, 2011 8:36 PM
  • Thanks for the quick reply guys, but I don't think I was very clear on my description of the problem...  I'm looking to query this information via power shell scirpts.. So I need to know which WMI class this info resides in.. I used    Get-WmiObject rsop_securitysettings -Namespace "root\rsop\computer"    and got most of the info i need.. But I can't find the info for the setting  Network Security : Force Logoff when logon hours expire   Can someone tell me which Wmi class I can look in to get this info??

    Thanks..


    You can only set it via a GPO on the Domain Controller.  You cannot set it by WMI.  If set it will be in RSOP computer/security network: settings.

    Run RSOP at the DC using GPMC console.  The instuctions are in the link.

    If the setting is not set then it will not show up in RSOP.  Only settings that are enabled show in RSOP.

    Get-WmiObject rsop_securitysettings -Namespace "root\rsop\computer" |
         ?{$_.Path -like '*ForceLogoffWhenHourExpire*'}

    This will only work after you have run RSOP and it will only work on a Domain Controller.

     

     

     


    jv
    Monday, December 19, 2011 9:27 PM
  • Thank You Very Much!!  This is exactly what I was looking for..  I though it would be in security settings, but I'm not checking it on a DC.  I'm still on the testing phase and I'm using some workstations for the test.. So obviously it's not set on my test machines..   Thank You again for your help!!
    Tuesday, December 20, 2011 2:34 PM
  • Thank You Very Much!!  This is exactly what I was looking for..  I though it would be in security settings, but I'm not checking it on a DC.  I'm still on the testing phase and I'm using some workstations for the test.. So obviously it's not set on my test machines..   Thank You again for your help!!


    I don't think you understand.  It is not a setting you set on a workstation.  It must be set at the DC.  It will only show at teh workstaion after the DC GP is set and after you run RSOP on the DC.  This cannot be managed from or at a workstation.

     


    jv
    Tuesday, December 20, 2011 4:07 PM