Force logoff Policy 2 hours of Idle


  • I have researched this issue in the past but have not found a solution that fits my needs.

    I would like to apply a GPO that will logoff all users from a PC in our classroom after two hours of inactivity (idle) however this force logoff can ONLY effect the user if they logged into our classroom computers that are in their own specific OU "Classroom Computers OU" 

    All of my users are in a single User OU (I did not set this up and I am not allowed to change this). 

    Is there a way to configure this?

    The clients are running Windows 7 and the DC is WS2012r2
    • Edited by TheUsD Monday, January 30, 2017 8:23 PM
    Monday, January 30, 2017 8:22 PM

All replies

  • There isn't a way to configure this without using a workaround.  You have to understand that MS Active Directory uses Kerberos for authentication, authorization and access to all resources in a network including even, the computer to which you logged onto.  Kerberos, doesn't have a facility to go in and track your "idle time" and log you off a workstation if idle time is exceeded.  There are workarounds however to get the two-hour idle time logoff, and they are detailed in this thread which was marked as answered by a user with the same question as yours:  Force User logoff - Server 2008.  Note:  There is a policy called “Network security: Force logoff when logon hours expire" but that isn't what you are looking for.

    Best Regards, Todd Heron | Active Directory Consultant

    Monday, January 30, 2017 10:44 PM
  • We had the same problem in our classroom. I could not find an easy way to do this just for logoff, without scripting. However, it is easy if it is ok to restart the computer. The result is the same. The computer should also not go into sleep or hibernation before the 2 hours + the time set for auto-lock. Also this does not work with fast user switching.

    Here is what I ended up doing:

    Make sure that the machine auto-lock after X minutes after Idle. That can be done with the policy: Computer Settings > Policies > Windows Settings > Local Policies/Security Options > Interactive logon: Machine inactivity limit


    Create two tasks in the user context:

    Task one:

    Run as user.

    Trigger on Workstation lock

    Run this command: Shutdown /r /f /t 7200

    This will start restart the computer 2 hours after the machine has been locked.


    Task two:

    Run as user.

    Trigger on Workstation unlock

    Run this command: Shutdown /a

    This will abort the restart command.

    Thomas Iversen

    Tuesday, January 31, 2017 7:15 AM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, February 06, 2017 9:43 AM