locked
GPO Logoff script to reboot not working RRS feed

  • Question

  •  

    I have a machine I joined to a domain for which I have setup a Kiosk machine policy to configure settings to lock down the machine. I configured the user settings to be fairly restrictive but on used a minimal amount of computer settings.

    One of the settings is to run a script to reboot the machine in case a user logs off the public domain account. This will ensure the auto-logon kicks in and refreshes the machine to where it was previously.

    According to the Windows SteadyState documentation, I should be able to run a batch file with the command "shutdown -r -t 00" as the logoff script and have the machine reboot itself.
    http://technet.microsoft.com/en-us/library/bb457139.aspx

    My trouble is that whenever I logoff with the account I get an error message from the command prompt saying, "The Device is not ready."

    I have also tried to execute a VB Script to use WMI to force a reboot and it reports that it ran correctly and encountered no errors but this also does not work.

    I have also tried using a local admin account and another domain account with admin rights and have not been able to resolve the issue.

    Is there something I am missing like a hotfix or is there a specific policy that I need to set?
    Wednesday, April 30, 2008 11:50 AM

Answers

  •  

    Firstly, the logoff script is a part of group policy setting, we need to check if the issue is related to Windows system or SteadyState. In order to perform efficient troubleshooting, I suggest we temporarily disable SteadyState and check if the logoff script works without the error. To do so, let's follow the steps below:

     

    1.       Log onto Windows by using the Administrator account or any user account with the Administrator privileges.

    2.       Click Start and then Run. Type in MSCONFIG and press Enter.

    3.       Switch to the Services tab. Select the check box before "Windows SteadyState Service".

    4.       Click OK. Restart the computer to test again.

     

    Let's check if the logoff script works fine with SteadyState disabled.

    Friday, May 2, 2008 3:09 AM
  • OK, so here is the trouble. When the machine runs a logon or logoff script, the context of the script runs under a non privelaged account EVEN IF THE ACCOUNT HAS THE RIGHTS. This means that the account that runs the script will not have any rights, and also cannot access any network resources. There is also a LUA bug in the shutdown.exe command which will not allow unprivelaged users to run the command with anything but the logoff option.

     

    The reason for this is that when the shutdown.exe execute a logoff it only initiates the SeShutdownPrivelage which, by default, is the only privelage users has. When you initialise shutdown.exe with another command, for instance "/r /f" it initializes the SeRemoteShutdownPrivelage, even if you do not specify a remote computer.

     

    Source:

    http://blogs.msdn.com/aaron_margosis/archive/2006/01/27/518214.aspx

     

    The solution listed here was to grant the "INTERACTIVE" group the remote shutdown privelage. However, I did not wish to do this since the account was to be limited. What I wound up doing was to use an encoded VB Script in the startup script folder which checked for the existance of the SteadyState reboot utility in the %SYSTEMROOT%\System32 folder. If it did not exist then I copied the file over and then placed a shortcut in the all users start menu profile.

     

    In combination I used the GPO to removed the shutdown, logoff and reboot options from the start menu and task manager so this is the only option that the Kiosk user will have to "Log Off".

     

    These files can either be in the DC's sysvol, or what I did, was to copy the files to our application share under a new folder and then give ONLY THE COMPUTER ACCOUNT access. This way no users can see the files and interact with them and the computer account only has read access so in theory it should be secure. In addition I have software restriction set to restrict all but specified so I then added the file hash to the GPO so it would be allowed to run.

     

    :Tongue Tiedcript Source::

     

    '==========================================================================
    '
    ' VBScript Source File --
    '
    ' NAME: Kiosk Log Off
    '
    ' AUTHOR: Zabilla, Brad
    ' DATE  : 6/1/2008
    '
    ' COMMENT: Copies file and shortcut over to the Kiosk machine to enable the
    ' user to log off which forces a reboot.
    '
    '==========================================================================
    Option Explicit
    Public Const VBQT = """"
    Public objFSO
    Public objShell
    Public strSource
    Public strAllUsers
    Public strSys32
    Public strFile1
    Public strFile2

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objShell = CreateObject("Wscript.Shell")
    strSource = "\\Server\PublicShare\WindowsKiosk"
    strFile1 = "ForceLogOff.exe"
    strFile2 = "LogOff.lnk"
    strSys32 = objShell.ExpandEnvironmentStrings("%SYSTEMROOT%")
    strSys32 = strSys32 & "\System32"
    strAllUsers = objShell.ExpandEnvironmentStrings("%USERPROFILE%")
    strAllUsers = strAllUsers & "\Start Menu"

    If Not objFSO.FileExists(strSys32 & "\" & strFile1) Then
     objFSO.CopyFile strSource & "\" & strFile1, strSys32 & "\"
    End If

    If Not objFSO.FileExists(strAllUsers & "\" & strFile2) Then
     objFSO.CopyFile strSource & "\" & strFile2, strAllUsers & "\"
    End If

     

    ::/Script Source::

     

     

    Now, the other problem I had was about scheduling a reboot and logon hours. Our logon hours here need to be over at 4:30pm but in the AD Structure, you can only set the logon hours in hourly increments. Not to mention, if I reboot the machine at the end of the day (with a 5 minute warning to the person using the kiosk), it will try to log in and fail, leaving the machine at the CAD screen and disabling the auto login I had setup with the custom GPO I created.

     

    To get around that, I need to run a batch file to call the "at" command to setup a scheduled task to run the shutdown.exe command. I also created a scheduled task on our app server to set the domain logon ours for the Kiosk account using the net user command.

     

    In addition I also added the "SYSTEM" account into the security for "Force shutdown from a remote system". This may or may not enable the logoff script to run the shutdown command but since you can hold the shift key to bypass the auto reboot with the SteadyState exe I decided to leave things set how they were.

     

    ::Kiosk Batch File Source::

     

    REM Stick out tongueURGE OLD SCHEDULED TASKS
    AT /D /YES

     

    REM :REBOOT AT 8:01 SO MACHINE CAN AUTO-LOGIN WHEN LOGON HOURS ALLOW

    If Not Exist %SYSTEMROOT%\Tasks\at2.job at 07:56 /every:m,t,w,th,f Shutdown.exe /r /t 300 /f /c "This computer will automatically reboot in 5 minutes for routine maintainence prior to opening for public use. Please be patient while the computer restarts."

     

    REM Tongue TiedET A REBOOT WITH A 5 MINUTE WINDOW SO AT 4:30PM THE PC REBOOTS TO THE AUTO LOGON NOT BEING ABLE TO LOG IN
    If Not Exist %SYSTEMROOT%\Tasks\at4.job at 16:25 /every:m,t,w,th,f Shutdown.exe /r /t 300 /f /c "This computer will automatically reboot in 5 minutes when the Public Kiosk Terminals will close. Please complete your work promptly to avoid inconvenience. Thank you for using the Public Kiosk Terminals."

     

    ::/Kiosk Batch File Source::

     

     

    These commands were setup on our app server which hosts the Kiosk files and use our domain admin credentials to run on a schedule.

    :Tongue Tiederver Tasks::

     

    REM :RESET LOGON TIME SO USER CAN USE COMPUTER FROM 4:00 TO 4:30,

    AT 16:25 /every:m,t,w,th,f Net.exe User Kiosk01 /Time:M-F,08:00-17:00 /Domain

     

    REM Tongue TiedET LOGON TIME TO BE 4PM, PRIOR TO CURRENT TIME

    AT 16:25 /every:m,t,w,th,f Net.exe User Kiosk01 /Time:M-F,08:00-16:00 /Domain

    ::/Server Tasks::

     

    I ran into a few other issues like clearing out the start menu of everything but the programs I wanted on there which I wound up scripting in a startup script. I hope this helps everyone out as there seems to be zero documentation on this.

    Thursday, June 5, 2008 4:50 PM

All replies

  •  

    Firstly, the logoff script is a part of group policy setting, we need to check if the issue is related to Windows system or SteadyState. In order to perform efficient troubleshooting, I suggest we temporarily disable SteadyState and check if the logoff script works without the error. To do so, let's follow the steps below:

     

    1.       Log onto Windows by using the Administrator account or any user account with the Administrator privileges.

    2.       Click Start and then Run. Type in MSCONFIG and press Enter.

    3.       Switch to the Services tab. Select the check box before "Windows SteadyState Service".

    4.       Click OK. Restart the computer to test again.

     

    Let's check if the logoff script works fine with SteadyState disabled.

    Friday, May 2, 2008 3:09 AM
  • It is actually a group policy related problem. I have been working with the MS Partner forums website however they said I should crosspost here in case anyone else has come up with the same issue and resolved it.

     

    One thing they did provide which was a help was a link regarding the GPO. Apparently only the Startup and Shutdown scripts are run as an Administrator on the machine.

     

    This in turn means that the logoff script does not hold the required privelage to run a logoff, much less force the logoff, EVEN IF the account logged in is an Administrator account.

     

    If you log in with a standard user account and try to run the shutdown command you receive "A required privelage is not held by the client." error

     

    Well, ok, that is quite interesting and needless to say a bit frustrating. So, for kicks I created a VB Script to open a shell with the "runas" command with the Administrator account and shutdown command and then pass the password from within the file using the objShell.AppActivated and objShell.SendKeys methods.

     

    Well, annoyingly enough this works just fine if I run the VBS as an admin, and the script will run at logoff, however, it still does not reboot the machine. Just wait, it gets better.

     

    If I login as the standard user account and run the script, it reboots the machine just fine! It just will not function under whatever permissions/account the logoff script is running.

     

    Friday, May 2, 2008 7:08 PM
  • Hi,

    Actually I'm having the same issue here!

    I’m implementing a large virtual desktop infrastructure (using Win XP) in combination with SteadyState (2.0)

     

    Why I found so far:

    -          The shutdown.exe command with necessary parameters returns “the device is not ready” when you execute it as a logoff script. (even as administrator). The command run while being logged on works fine as admin and also as user (with the remote shutdown permission enabled.

    -     All the same with WMI rebooting.. so not a solution there

    -          The psshutdown.exe tool, works fine as admin, while being logged in, AND also at the logoff script. But this tool cannot be run as a user. (cause it installs a service over and over again)

     

    So far, I’m not having a decent solution for this. Putting a logoff script which does a run as is not allowed by the company (governmental company).

     

    So if somebody has a more solid solution ??

     

    Thx !

    Monday, May 5, 2008 10:58 AM
  • I have the same problem here.  I've also tried TSShutDn.exe with no success.  Have you found a fix yet?

    Thursday, June 5, 2008 2:36 PM
  • OK, so here is the trouble. When the machine runs a logon or logoff script, the context of the script runs under a non privelaged account EVEN IF THE ACCOUNT HAS THE RIGHTS. This means that the account that runs the script will not have any rights, and also cannot access any network resources. There is also a LUA bug in the shutdown.exe command which will not allow unprivelaged users to run the command with anything but the logoff option.

     

    The reason for this is that when the shutdown.exe execute a logoff it only initiates the SeShutdownPrivelage which, by default, is the only privelage users has. When you initialise shutdown.exe with another command, for instance "/r /f" it initializes the SeRemoteShutdownPrivelage, even if you do not specify a remote computer.

     

    Source:

    http://blogs.msdn.com/aaron_margosis/archive/2006/01/27/518214.aspx

     

    The solution listed here was to grant the "INTERACTIVE" group the remote shutdown privelage. However, I did not wish to do this since the account was to be limited. What I wound up doing was to use an encoded VB Script in the startup script folder which checked for the existance of the SteadyState reboot utility in the %SYSTEMROOT%\System32 folder. If it did not exist then I copied the file over and then placed a shortcut in the all users start menu profile.

     

    In combination I used the GPO to removed the shutdown, logoff and reboot options from the start menu and task manager so this is the only option that the Kiosk user will have to "Log Off".

     

    These files can either be in the DC's sysvol, or what I did, was to copy the files to our application share under a new folder and then give ONLY THE COMPUTER ACCOUNT access. This way no users can see the files and interact with them and the computer account only has read access so in theory it should be secure. In addition I have software restriction set to restrict all but specified so I then added the file hash to the GPO so it would be allowed to run.

     

    :Tongue Tiedcript Source::

     

    '==========================================================================
    '
    ' VBScript Source File --
    '
    ' NAME: Kiosk Log Off
    '
    ' AUTHOR: Zabilla, Brad
    ' DATE  : 6/1/2008
    '
    ' COMMENT: Copies file and shortcut over to the Kiosk machine to enable the
    ' user to log off which forces a reboot.
    '
    '==========================================================================
    Option Explicit
    Public Const VBQT = """"
    Public objFSO
    Public objShell
    Public strSource
    Public strAllUsers
    Public strSys32
    Public strFile1
    Public strFile2

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objShell = CreateObject("Wscript.Shell")
    strSource = "\\Server\PublicShare\WindowsKiosk"
    strFile1 = "ForceLogOff.exe"
    strFile2 = "LogOff.lnk"
    strSys32 = objShell.ExpandEnvironmentStrings("%SYSTEMROOT%")
    strSys32 = strSys32 & "\System32"
    strAllUsers = objShell.ExpandEnvironmentStrings("%USERPROFILE%")
    strAllUsers = strAllUsers & "\Start Menu"

    If Not objFSO.FileExists(strSys32 & "\" & strFile1) Then
     objFSO.CopyFile strSource & "\" & strFile1, strSys32 & "\"
    End If

    If Not objFSO.FileExists(strAllUsers & "\" & strFile2) Then
     objFSO.CopyFile strSource & "\" & strFile2, strAllUsers & "\"
    End If

     

    ::/Script Source::

     

     

    Now, the other problem I had was about scheduling a reboot and logon hours. Our logon hours here need to be over at 4:30pm but in the AD Structure, you can only set the logon hours in hourly increments. Not to mention, if I reboot the machine at the end of the day (with a 5 minute warning to the person using the kiosk), it will try to log in and fail, leaving the machine at the CAD screen and disabling the auto login I had setup with the custom GPO I created.

     

    To get around that, I need to run a batch file to call the "at" command to setup a scheduled task to run the shutdown.exe command. I also created a scheduled task on our app server to set the domain logon ours for the Kiosk account using the net user command.

     

    In addition I also added the "SYSTEM" account into the security for "Force shutdown from a remote system". This may or may not enable the logoff script to run the shutdown command but since you can hold the shift key to bypass the auto reboot with the SteadyState exe I decided to leave things set how they were.

     

    ::Kiosk Batch File Source::

     

    REM Stick out tongueURGE OLD SCHEDULED TASKS
    AT /D /YES

     

    REM :REBOOT AT 8:01 SO MACHINE CAN AUTO-LOGIN WHEN LOGON HOURS ALLOW

    If Not Exist %SYSTEMROOT%\Tasks\at2.job at 07:56 /every:m,t,w,th,f Shutdown.exe /r /t 300 /f /c "This computer will automatically reboot in 5 minutes for routine maintainence prior to opening for public use. Please be patient while the computer restarts."

     

    REM Tongue TiedET A REBOOT WITH A 5 MINUTE WINDOW SO AT 4:30PM THE PC REBOOTS TO THE AUTO LOGON NOT BEING ABLE TO LOG IN
    If Not Exist %SYSTEMROOT%\Tasks\at4.job at 16:25 /every:m,t,w,th,f Shutdown.exe /r /t 300 /f /c "This computer will automatically reboot in 5 minutes when the Public Kiosk Terminals will close. Please complete your work promptly to avoid inconvenience. Thank you for using the Public Kiosk Terminals."

     

    ::/Kiosk Batch File Source::

     

     

    These commands were setup on our app server which hosts the Kiosk files and use our domain admin credentials to run on a schedule.

    :Tongue Tiederver Tasks::

     

    REM :RESET LOGON TIME SO USER CAN USE COMPUTER FROM 4:00 TO 4:30,

    AT 16:25 /every:m,t,w,th,f Net.exe User Kiosk01 /Time:M-F,08:00-17:00 /Domain

     

    REM Tongue TiedET LOGON TIME TO BE 4PM, PRIOR TO CURRENT TIME

    AT 16:25 /every:m,t,w,th,f Net.exe User Kiosk01 /Time:M-F,08:00-16:00 /Domain

    ::/Server Tasks::

     

    I ran into a few other issues like clearing out the start menu of everything but the programs I wanted on there which I wound up scripting in a startup script. I hope this helps everyone out as there seems to be zero documentation on this.

    Thursday, June 5, 2008 4:50 PM
  •  

    There is an exe included with software called forcelogoff if you put a /restart with it this can be used to restart the machine. Give that a try it works for me.
    Monday, June 30, 2008 1:44 PM