locked
Force User logoff - Server 2008 RRS feed

  • Question

  •  

    Has Microsoft added the ability to force user logoff after a specified amount of time with Group Policy on Server 2008?  I've been browsing through Group Policy and can't seem to find it.  (Assuming it's there.)  I rather not use the logoff screen saver for Windows XP if I can help it.

     

    If it's not there MS needs to get its act together and fix simple things like this.

    Friday, April 4, 2008 5:50 AM

Answers

  • Hi there,

     

    Unfortunately this functionality is still not there - you'll still have to use the old "winexit.scr" sreeensaver workaround for doing this... I'll make sure to bring it up next time I meet the GP guys in MS - have heard a lot of other people wanting this functionality.

     

    Best regards

    Jakob H. Heidelberg
    MVP:Enterprise Security

    Friday, April 4, 2008 8:13 AM

All replies

  • Hi there,

     

    Unfortunately this functionality is still not there - you'll still have to use the old "winexit.scr" sreeensaver workaround for doing this... I'll make sure to bring it up next time I meet the GP guys in MS - have heard a lot of other people wanting this functionality.

     

    Best regards

    Jakob H. Heidelberg
    MVP:Enterprise Security

    Friday, April 4, 2008 8:13 AM
  •  

    Thanks for the quick reply.

     

    I find it truely amazing that MS hasn't found it important to include this functionality in GP.  The fact that "winexit.src" exists shows that there is a desire by customers.

     

    I guess it's back to using 'winexit.src' for now.

     

    Thanks again!

    Friday, April 4, 2008 6:56 PM
  • Howdie!

     

     HIPAA-POTAMUS wrote:

     

    Has Microsoft added the ability to force user logoff after a specified amount of time with Group Policy on Server 2008?  I've been browsing through Group Policy and can't seem to find it.  (Assuming it's there.)  I rather not use the logoff screen saver for Windows XP if I can help it.

     

    Zilent's right - there currently is no such thing.

     

    What you could try - as an additional approach - is to use the "Network Security: Force logoff when logon user hours expire" in CompConf\Windows Settings\SecSettings\Local Policies\Security Options. That essentially cuts off SMB connections to file servers and such and prevents the user from re-connecting if I remember that right.

     

    cheers,

     

    Florian

    Monday, April 7, 2008 6:56 AM
  •  

    I'd just like to register my interest in this feature.
    Friday, April 18, 2008 12:16 PM
  • Have you considered a Preference..  Scheduled Task.. (on logon).. X minutes inactivity as the timer.. then execute logoff.exe with all the relevent command line arguments..

    Thursday, April 24, 2008 6:34 AM
  •  

    Hi,

     

    Regarding Scheduled tasks there's a slight problem with the use of that particular inactivity timer - as it uses CPU utilization (and maybe a few other parameters) as its tracking method over a certain period of time, not "user inactivity" (like mouse or keyboard clicks) as you might expect... However I haven't been able to confirm that with a KB article or another source at this point, so you just gotta trust me on this ;-)

     

    Best regards

     

    Jakob H. Heidelberg

    MVP:Enterprise Security

    Thursday, April 24, 2008 7:16 AM
  • how about setting something that we know works for user innactivity.. power management or Away Mode.. then trigger a logoff based on that activity?

    Thursday, April 24, 2008 1:31 PM
  • UserLock will do the job!
    François Amigorena President & CEO IS Decisions (Security Software) http://www.isdecisions.com
    Thursday, June 24, 2010 9:49 AM
  • Our software ActiveExit can do what winexit.scr does, only better. It supports Group Policy and Active Directory, please give it a try.
    Thursday, August 12, 2010 4:47 PM
  • While not as robust as ActiveExit, I'd recommend at least taking a look at the free alternative to winexit.scr available at http://www.grimadmin.com/staticpages/index.php/ss-operations
    Wednesday, September 22, 2010 3:39 AM
  • ok, that was April 4 2008, its now 2011 and i'm trying to do the same thing

    Have MS now put this in place?


    If you cant fix it with a hammer - its an electrical problem!
    Friday, July 15, 2011 9:45 AM
  • As far as Windows is concerned, nothing has changed since 2008 ... You will find details about this issue here.

    On the other hand, UserLock allows defining working hours and/or maximum session time for protected users. Outside of these timeframes and/or when time is up, users will be disconnected with prior warning.
    UserLock can detect when a password protected screensaver starts and can automatically logoff a session after a specific length of time.

    Besides, UserLock 6.0 (released in June 2011) now allows defining and enforcing daily, weekly, monthly, etc. connection time quotas per user or user group and per session type.
    Several time quotas can be defined for a same Protected Account. A different time quota can therefore set for each type of session (workstation, terminal, interactive, Internet Information Services or VPN/RAS).

    You can download a free fully-functional trial from IS Decisions website.

    Hope it will help. Cheers,


    François Amigorena President & CEO IS Decisions (Security Software) http://www.isdecisions.com
    Friday, July 15, 2011 10:11 AM
  • I can't wait for MS to add this feature, so I don't have to see any more advertisements by companies like ISDecisions that require you to buy 50 licenses of software minimum at $10.33 dollars a pop (that's $516.50 MINIMUM) to accomplish something that MS will support naturally. UserLock will be a thing of the past =)


    • Edited by iCeBoX4u Wednesday, June 13, 2012 4:35 PM
    Wednesday, June 13, 2012 4:31 PM
  • I can't wait for MS to add this feature, so I don't have to see any more advertisements by companies like ISDecisions that require you to buy 50 licenses of software minimum at $10.33 dollars a pop (that's $516.50 MINIMUM) to accomplish something that MS will support naturally. UserLock will be a thing of the past =)

    I am deeply sorry that you feel that way about UserLock iCeBoX4u ... I can assure you that our Dev Team makes its best to provide our UserLock customers with a reliable, feature-rich, powerful and easy to use software solution.

    UserLock is not limited to only forcing user logoff after a specified amount of time, it also allows you to:

    - Limit or prevent concurrent logins to your Windows network, based on user, user groups, Organizational Units or session types.
    - Restrict user access to your network with multiple criteria: workstations, time, business hours, and connection type.
    - Follow the session activity on your network in real-time and get detailed, graphical reporting
    - Remotely close or lock user sessions, shutdown workstations, from anywhere using the Web console

    More than 1 million UserLock licenses are in use worldwide by thousands of demanding organizations, including:
    The FBI, DoJ, Barclays Bank, United Nations, TimeWarner, ... as well as hundreds of SMBs and academic institutions.

    IMHO, at $2 to $10 a pop, UserLock gives them a great deal of bang for their buck ...


    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com


    Wednesday, June 13, 2012 5:23 PM
  • i think you have just hit the nail on the head with your advertisement that the other poster was originally talking about. i have no problem with companies like yourselves exploiting failings within an operating system to make some money, as long as you dont think where the money comes from in the first place.

    The fBI and the United Nations are publically funded entities, Barclays bank are funded by their customers, Time Warner sell to the public and the hundreds of SMB's and academic institutions you quote all get their money from Joe Public - all because the largest software developer in the world, whose operating systems are the most widespread in the world, wont add the simple functionality that your software does.

    This is not an isolated case, we have had to implement 3rd party software to get a common footer to exchange emails.

    I for one will not be purchasing extra software to do this


    Nothing in unfixable - with a suitable sized hammer!

    Wednesday, June 13, 2012 5:40 PM
  •  
    > This is not an isolated case, we have had to implement 3rd party
    > software to get a common footer to exchange emails.
     
    This is what Microsoft calls the "Windows Ecosystem". They are smart
    enough to leave room for others ;-) And this room is required for these
    others to get involved in the Evolution of Microsoft products.
     
    Ever thought why Citrix still is there?
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, June 14, 2012 7:42 AM
  • Here's a powershell to logoff everyone. Bang. Answered.

    function RemoveSpace([string]$text) { 
        $private:array = $text.Split(" ", `
        [StringSplitOptions]::RemoveEmptyEntries)
        [string]::Join(" ", $array) }

    $quser = quser
    foreach ($sessionString in $quser) {
        $sessionString = RemoveSpace($sessionString)
        $session = $sessionString.split()
       
        if ($session[0].Equals(">nistuke")) {
        continue }
        if ($session[0].Equals("USERNAME")) {
        continue }
        # Use [1] because if the user is disconnected there will be no session ID.
        $result = logoff $session[1] }


    "Give me an army of West Point graduates, I'll win a battle. Give me a handful of Texas Aggies and I'll win a war!" --Gen. George S. Patton, Jr.

    • Proposed as answer by Shadrocks Tuesday, September 25, 2012 5:51 PM
    Tuesday, September 25, 2012 5:51 PM
  • Group policy can do this. Computer Configuration > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.

    You have to set 2: Terminate session when time limits are reached & select the other condition (disconnected/active but idle/etc..)


    "Give me an army of West Point graduates, I'll win a battle. Give me a handful of Texas Aggies and I'll win a war!" --Gen. George S. Patton, Jr.

    • Proposed as answer by Shadrocks Tuesday, September 25, 2012 8:36 PM
    Tuesday, September 25, 2012 8:36 PM