locked
Allow Administrator to Force User Logoff? RRS feed

  • Question

  • My organization is using a combination of Windows XP and Windows 7
    workstations in an ActiveDirectory domain.  By policy, we do not permit
    fast user switching; no more than one person may be logged in to a
    workstation at a time.

    We also have a problem of users walking away (distracted by multiple
    tasks or situations requiring immediate response, not deliberate
    abandonment) from the workstation and neglecting to log off.  Education
    is ... less than optimally effective.  We have the system set so that if
    the workstation goes idle, it locks, and requires the user to provide
    their domain credentials to unlock the workstation.

    On the Windows XP workstations, we can also provide an administrator's
    credentials, and this will force the locked user to be logged off,
    losing any open work, but not "crashing" anything.

    On the Windows 7 workstations, we do not appear to have this option; we
    must either have the user unlock the workstation - not always possible -
    or "crash" the workstation (hard power-off and reboot).  This is less
    than entirely satisfactory.  Is there a way to set the Windows 7
    workstations to behave as the Windows XP workstations do, and allow an
    administrator to supply his own credentials to force the locking user to
    be logged off?


    -- Jeff Zeitlin
    Thursday, February 24, 2011 1:42 PM

Answers

  • There is no simple solution for your situation. The easiest thing would be a thin client infrastructure and smart cards authentification. But I am also sure this is not what you are looking for, now. As long as users will share a computer, there will be always problems. You can use this logoff screensaver for Windows 7 to end sessions that are idle for a certain amount of time.
    Sunday, February 27, 2011 5:06 AM

All replies

  • Offhand the only possible option I would see would work on a stand-alone workstation since you can't use the classic logon in a domain environment.  You can use a "shutdown -L -F" for example "shutdown -m \\%computername% -L -F" to send a logoff command remotely to the workstation in question.

    The GPO you are configuring I am guessing is "Hide entry points for Fast User Switching" The question that comes to mind is what is the reason you are trying to disable fast user switching?  To save resources in case too many users are on one workstation or something else?

    If that is the GPO you are configuring it isn't disabling the functionality, it is simply hiding it from being used, and if there is a security concern with the fast user switching capability I don't think this would necessarilly alleviate that.

    • Edited by Poltergheist Thursday, February 24, 2011 3:57 PM added a bit of info
    Thursday, February 24, 2011 3:55 PM
  • Hi,

    Please check whether the following link helps:

    Use the Remote Shutdown Tool to Shutdown, Restart, or Logoff a Local or Networked Computer
    http://maximumpcguides.com/windows-vista/use-the-remote-shutdown-tool-to-shutdown-restart-or-logoff-a-local-or-networked-computer/  

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    If not, please describe your requirements more detail.

    Thanks.
    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 25, 2011 10:38 AM
  • On Thu, 24 Feb 2011 15:55:51 +0000, Poltergheist wrote:

    Offhand the only possible option I would see would work on a stand-alone workstation since you can't use the classic logon in a domain environment.  You can use a "shutdown -L -F" for example "shutdown -m\\%computername% <file://\\%computername%> -L -F" to send a logoff command remotely to the workstation in question.

    This matches the information in the link that Nina Liu mentioned in the
    message after yours in the thread; however, that link appears to
    indicate that -m and -l cannot be used together - whereas that
    combination, as you suggest above, is exactly what I appear to want.
    Admittedly, the linked article talks about Vista, rather than Windows 7,
    and perhaps it's changed, but...  can anyone verify whether the
    exclusion still holds (I'm on vacation this week, and don't have access
    to an environment to test)?

    The GPO you are configuring I am guessing is "Hide entry points for Fast User Switching" The question that comes to mind is what is the reason you are trying to disable fast user switching?  To save resources in case too many users are on one workstation or something else?

    The resource issue is the primary issue, yes - user account security is
    a concern, but our own administrative procedures work against us, and
    users do share their credentials.  Again, education is less than
    optimally effective, largely because of our own administrative
    procedures for dealing with forgotten passwords or transferring a user's
    credentials into a different container (and different set of groups for
    policy applications).

    I'm not sure, specifically, what the policy being set is - I'm not
    involved at that level; I'm what Novell used to call a 'workgroup
    administrator' rather than being a server administrator.  I have some
    elevated privileges with respect to administration, but I don't have the
    kind of carte blanche on servers that I essentially do on workstations,
    or that the actual server administrators have on servers.

    If that is the GPO you are configuring it isn't disabling the functionality, it is simply hiding it from being used, and if there is a security concern with the fast user switching capability I don't think this would necessarilly alleviate that.

    Again, I'm not involved at that level - I'm simply trying to work with
    what I'm dealt; and with the policy in place, I'm looking for a way to
    force the workstation user to be logged off by an administrator, in
    preference to crashing the workstation for a reboot.


    -- Jeff Zeitlin
    Sunday, February 27, 2011 2:50 AM
  • There is no simple solution for your situation. The easiest thing would be a thin client infrastructure and smart cards authentification. But I am also sure this is not what you are looking for, now. As long as users will share a computer, there will be always problems. You can use this logoff screensaver for Windows 7 to end sessions that are idle for a certain amount of time.
    Sunday, February 27, 2011 5:06 AM
  • in our domain we do not have this symptom. I can logon with my admin_id and then choose to shut down the workstation, forcing out the abandoned user session. both for XP & Win7. but we don't have a need to inhibit "fast user switching" (by which i think you mean something i call exclusive console session).
    Don
    Sunday, February 27, 2011 6:20 AM
  • another thought.. you may be affected by a policy relating to "deny_powerdown_without_logon"? this (in conjunction with other settings) might be leading you to the crash-out-by-poweroff?
    Don
    Sunday, February 27, 2011 6:23 AM
  • You should give a look to UserLock Jeff.

    Among other features, this 3rd-party solution will allow you to remotely lock or logoff any session (even sessions with local accounts), either from the administration console or the Web interface.

    A fully-functional trial is available here.


    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com


    Tuesday, March 6, 2012 8:58 AM
  • Hi Jeff.  Did you ever figure out a way to make Win7 mimic the "log on as an admin to force logoff a locked computer" feature (that I love) in Windows XP?  I'm facing the same dilema right now, and have the same kind of users you do haha.
    Friday, November 23, 2012 3:57 PM
  •  
    > Hi Jeff.  Did you ever figure out a way to make Win7 mimic the "log on
    > as an admin to force logoff a locked computer" feature (that I love)
    > in Windows XP?  I'm facing the same dilema right now, and have the
    > same kind of users you do haha.
     
    As long as you didn't disable fast user switching, you can always change
    user and logon with your admin, then (through task manager) logoff other
    users. If you disabled user switching, sadly you need to reboot...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Monday, November 26, 2012 12:43 PM
  • Simply doing a ctrl + alt + del and accessing the users tab in the task manager will not allow you to force logoff a user, as you have found.  However, if you launch task manager by the "run as administrator" option, you can force log them off.

    1.
    Open command prompt as an administrator.
    Click the start button and click on all programs, then click on accessories, right click on command prompt and click "Run as administrator".


    2.
    Open task manager and log off the other user.
    Once the command prompt is open type taskmgr and hit enter. This will bring up a task manager in administrator context. Click on the users tab, right click the user that you want to log off and click log off.


    3.
    Confirm logoff
    Confirm the logoff at the confimation screen by clicking on "log off user" note that the user will lose and work that is not saved if you confirm this log off.

    hope this helps.

    Saturday, May 3, 2014 7:40 PM